Inadequate sanitization checks result in web security flaw in HTML text editor

Thousands of websites that rely on the TinyMCE application need to update the software following the discovery of a serious cross-site scripting (XSS) vulnerability.

The security flaw, discovered by researchers at Bishop Fox, could result in sensitive information disclosure, privilege escalation, and account takeover. The impact of the vulnerability is configuration dependent and therefore variable.

The use of ‘classic’ editing mode, existing XSS protections, and whether users can control the initial content inside the editor all affect the exploitability of this vulnerability, according to Bishop Fox.

The issue was identified in TinyMCE 5.2.1, but other versions of the software were later identified as vulnerable.

Hot Fuzz

TinyMCE is a What-You-See-Is-What-You-Get (WYSIWYG) HTML text editor and JavaScript library. Third-party websites use the technology to provide text editing functionality, including the ability to create and modify HTML text.

Security researchers at Bishop Fox discovered the issue as part of a client assessment. After throwing XSS payloads at the text editor, they uncovered what turned out to be a widely distributed bug.

George Steketee, senior security consultant at Bishop Fox and one of the key researchers behind the discovery of the vulnerability, told The Daily Swig that the vulnerability arose from a flaw in TinyMCE’s parsing logic.

“From the payload and vendor patch notes, it seems as though the payload causes the parser to get ‘confused’ and consider the img tag part of the DOM, rather than as text,” he explained.

“However, we did not look into TinyMCE’s code too far, and I would be very interested to see what other people find in this area.”

Patching and remediation

Steketee and his colleague Chris Davis reported the issue to TinyMCE’s developers in April. After some months working on a patch, updates to the software were issued earlier this week.

TinyMCE 4.9.10 or lower and TinyMCE 5.4.0 or lower are confirmed as vulnerable to a flaw that allows “arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs”, developers Tiny Technologies warn.

Web admins need to upgrade to either TinyMCE version 4.9.11 or 5.4.1, as explained in an advisory posted on GitHub. The fix involved “improved HTML parsing and sanitization logic”.

Read more of the latest security vulnerability news

In response to queries from The Daily Swig, Dylan Just, security information security lead at Tiny Technologies, explained: “TinyMCE is a web-based rich text editor, and the issue relates to content not being correctly sanitized before being loaded into the editor.”

He continued; “We have released fixes for TinyMCE 4 and 5, but we recommend that all users upgrade to the latest TinyMCE 5. Further to this, we recommend that users sanitize content server-side, and add a suitable Content Security Policy to their websites.”

“We would like to thank Bishop Fox for responsibly disclosing the issue to us and for their prompt communication and professionalism,” Just concluded.

A detailed technical write-up of the vulnerability has been published on the Bishop Fox website.

RELATED XSS vulnerability patched in TinyMCE