CVE-2012-4230

Severity

43%

Complexity

86%

Confidentiality

48%

The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyMCE security policy for the (1) encoding directive and (2) valid_elements attribute, which allows attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors, as demonstrated using a textarea element.

The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyMCE security policy for the (1) encoding directive and (2) valid_elements attribute, which allows attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors, as demonstrated using a textarea element.

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N).

Overview

First reported 10 years ago

2014-04-25 14:15:00

Last updated 7 years ago

2017-08-29 01:32:00

Affected Software

TinyMCE 3.5.8

3.5.8

References

91130

http://packetstormsecurity.com/files/120750/TinyMCE-3.5.8-Cross-Site-Scripting.html

Exploit

20130311 XSS Vulnerability in TinyMCE

Exploit

http://www.madirish.net/554

Exploit

58424

tinymce-htmlentities-xss(82744)

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.