CVE-2020-17480

NameCVE-2020-17480
DescriptionTinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tinymce (PTS)stretch3.4.8+dfsg0-1vulnerable
buster3.4.8+dfsg0-2vulnerable
bullseye, sid3.4.8+dfsg0-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tinymcesource(unstable)(unfixed)

Notes

[buster] - tinymce <no-dsa> (Minor issue)
https://github.com/tinymce/tinymce/security/advisories/GHSA-27gm-ghr9-4v95
Search for package or bug name: Reporting problems