Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency tinymce to v6.7.1 [security] - autoclosed #4941

Closed
wants to merge 1 commit into from
Closed

fix(deps): update dependency tinymce to v6.7.1 [security] - autoclosed #4941

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 19, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
tinymce (source) 6.7.0 -> 6.7.1 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-45818

Impact

A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before being stored in the undo stack. If the HTML snippet is restored from the undo stack, the combination of the string manipulation and reparative parsing by either the browser's native DOMParser API (TinyMCE 6) or the SaxParser API (TinyMCE 5) mutates the HTML maliciously, allowing an XSS payload to be executed.
​This vulnerability also impacts these related TinyMCE APIs and plugins:​

Patches

This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring HTML is trimmed using node-level manipulation instead of string manipulation.

Fix

To avoid this vulnerability:

  • Upgrade to TinyMCE 5.10.8 or higher for TinyMCE 5.x.
  • Upgrade to TinyMCE 6.7.1 or higher for TinyMCE 6.x.

References

For more information

If you have any questions or comments about this advisory:

CVE-2023-45819

Impact

A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requires carefully crafted malicious content to have been inserted into the editor and a notification to have been triggered.

When a notification was opened, the HTML within the text argument was displayed unfiltered in the notification. The vulnerability allowed arbitrary JavaScript execution when an notification presented in the TinyMCE UI for the current user. This issue could also be exploited by any integration which uses a TinyMCE notification to display unfiltered HTML content.

Patches

This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring that the HTML displayed in the notification is sanitized, preventing the exploit.

Fix

To avoid this vulnerability:

  • Upgrade to TinyMCE 5.10.8 or higher for TinyMCE 5.x.
  • Upgrade to TinyMCE 6.7.1 or higher for TinyMCE 6.x.

References

For more information

If you have any questions or comments about this advisory:

Release Notes

tinymce/tinymce (tinymce)

v6.7.1

Compare Source

Fixed
  • Specific HTML content caused mXSS when using undo/redo. #TINY-10180
  • Specific HTML content caused mXSS when using the getContent and setContent APIs with the format: 'raw' option, which also affected the resetContent API and the draft restoration feature of the Autosave plugin. #TINY-10236
  • Notification messages containing HTML were not properly XSS sanitized before being displayed. #TINY-10286

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate
Copy link
Contributor Author

renovate bot commented Oct 19, 2023

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: react-front-end/package-lock.json
npm WARN skipping integrity check for git dependency ssh://[email protected]/apereo/openEQUELLA-cloudprovidersdk.git 
npm WARN deprecated [email protected]: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm ERR! code 127
npm ERR! path /tmp/worker/5389e5/c74dc7/repos/github/openequella/openEQUELLA/oeq-ts-rest-api
npm ERR! command failed
npm ERR! command sh -c -- cd gen-io-ts && npm ci && npm run gen && cd -
npm ERR! added 69 packages, and audited 70 packages in 1s
npm ERR! 
npm ERR! found 0 vulnerabilities
npm ERR! 
npm ERR! > [email protected] gen
npm ERR! > ts-node src/index.ts --source ../src --dest ../src/gen  && eslint --fix ../src
npm ERR! 
npm ERR! Searching TS files from directory: /tmp/worker/5389e5/c74dc7/repos/github/openequella/openEQUELLA/oeq-ts-rest-api/src
npm ERR! Searching TS files from directory: /tmp/worker/5389e5/c74dc7/repos/github/openequella/openEQUELLA/oeq-ts-rest-api/src/fp-ts-ord
npm ERR! Searching TS files from directory: /tmp/worker/5389e5/c74dc7/repos/github/openequella/openEQUELLA/oeq-ts-rest-api/src/gen
npm ERR! Writing codec content to AdvancedSearch.ts...
npm ERR! Writing codec content to BatchOperationResponse.ts...
npm ERR! Writing codec content to Collection.ts...
npm ERR! Writing codec content to Common.ts...
npm ERR! Writing codec content to Drm.ts...
npm ERR! Writing codec content to Errors.ts...
npm ERR! Writing codec content to FacetedSearchSettings.ts...
npm ERR! Writing codec content to Favourite.ts...
npm ERR! Writing codec content to LegacyContent.ts...
npm ERR! Writing codec content to LtiPlatform.ts...
npm ERR! Writing codec content to MimeType.ts...
npm ERR! Writing codec content to Schema.ts...
npm ERR! Writing codec content to Search.ts...
npm ERR! Writing codec content to SearchFacets.ts...
npm ERR! Writing codec content to SearchFilterSettings.ts...
npm ERR! Writing codec content to SearchSettings.ts...
npm ERR! Writing codec content to Security.ts...
npm ERR! Writing codec content to Settings.ts...
npm ERR! Writing codec content to Taxonomy.ts...
npm ERR! Writing codec content to Theme.ts...
npm ERR! Writing codec content to UserQuery.ts...
npm ERR! Writing codec content to WizardCommonTypes.ts...
npm ERR! Writing codec content to WizardControl.ts...
npm ERR! sh: 1: eslint: not found

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/worker/5389e5/c74dc7/cache/others/npm/_logs/2023-10-19T21_19_37_890Z-debug-0.log

@renovate renovate bot changed the title fix(deps): update dependency tinymce to v6.7.1 [security] fix(deps): update dependency tinymce to v6.7.1 [security] - autoclosed Nov 1, 2023
@renovate renovate bot closed this Nov 1, 2023
@renovate renovate bot deleted the renovate/npm-tinymce-vulnerability branch November 1, 2023 23:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants