{"id":"CVE-2024-29881","summary":"TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements","details":"TinyMCE is an open source rich text editor.  A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content loading and content inserting code. A SVG image could be loaded though an `object` or `embed` element and that image could potentially contain a XSS payload. This vulnerability is fixed in 6.8.1 and 7.0.0.","aliases":["GHSA-5359-pvf2-pw78"],"modified":"2026-04-02T10:09:38.060854Z","published":"2024-03-26T13:31:15.375Z","database_specific":{"cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29881.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types"},{"type":"WEB","url":"https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#convert_unsafe_embeds-editor-option-is-now-defaulted-to-true"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29881.json"},{"type":"ADVISORY","url":"https://github.com/tinymce/tinymce/security/advisories/GHSA-5359-pvf2-pw78"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29881"},{"type":"FIX","url":"https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tinymce/tinymce","events":[{"introduced":"cc69eff2819659a199261bbdfacdbb08ae083923"},{"fixed":"38b36acdf3610b8116014570b7a065710730db90"}]}],"versions":["6.8.2","6.8.3","6.8.4","6.8.5","6.8.6","7.0.0","7.0.1","7.1.0","7.1.1","7.1.2","7.2.0","7.2.1","7.3.0","7.4.0","7.4.1","7.5.0","7.5.1","7.6.0","7.6.1","7.7.0","7.7.1","7.7.2","7.8.0","7.9.0","7.9.1","7.9.2","8.0.0","8.0.1","8.0.2","8.1.0","8.1.1","8.1.2","8.2.0","8.2.1","8.2.2","8.3.0","8.3.1","8.3.2","8.4.0","@ephox/acid@6.0.2","@ephox/acid@6.0.3","@ephox/acid@7.0.0","@ephox/acid@8.0.0","@ephox/agar@10.0.0","@ephox/agar@8.0.1","@ephox/agar@9.0.0","@ephox/alloy@14.0.2","@ephox/alloy@14.0.3","@ephox/alloy@15.0.0","@ephox/alloy@16.0.0","@ephox/boss@6.1.1","@ephox/boss@7.0.0","@ephox/boss@8.0.0","@ephox/boulder@7.1.6","@ephox/boulder@8.0.0","@ephox/boulder@9.0.0","@ephox/bridge@4.7.1","@ephox/bridge@5.0.0","@ephox/bridge@6.0.0","@ephox/darwin@10.0.0","@ephox/darwin@8.2.1","@ephox/darwin@9.0.0","@ephox/dragster@7.3.1","@ephox/dragster@8.0.0","@ephox/dragster@9.0.0","@ephox/jax@7.0.10","@ephox/jax@8.0.0","@ephox/jax@9.0.0","@ephox/katamari-assertions@4.0.10","@ephox/katamari-assertions@5.0.0","@ephox/katamari-assertions@6.0.0","@ephox/katamari@10.0.0","@ephox/katamari@11.0.0","@ephox/katamari@9.1.6","@ephox/mcagar@10.0.0","@ephox/mcagar@11.0.0","@ephox/mcagar@9.0.1","@ephox/phoenix@10.0.0","@ephox/phoenix@8.4.1","@ephox/phoenix@9.0.0","@ephox/polaris@6.3.1","@ephox/polaris@7.0.0","@ephox/polaris@8.0.0","@ephox/porkbun@7.0.10","@ephox/porkbun@8.0.0","@ephox/porkbun@9.0.0","@ephox/robin@10.4.1","@ephox/robin@11.0.0","@ephox/robin@12.0.0","@ephox/sand@6.0.10","@ephox/sand@7.0.0","@ephox/sand@8.0.0","@ephox/snooker@11.2.1","@ephox/snooker@12.0.0","@ephox/snooker@13.0.0","@ephox/sugar@10.0.0","@ephox/sugar@11.0.0","@ephox/sugar@9.3.1","@tinymce/oxide-icons-default@2.6.1","@tinymce/oxide-icons-default@3.0.0","@tinymce/oxide-icons-default@4.0.0","@tinymce/oxide@2.8.2","@tinymce/oxide@3.0.0","@tinymce/oxide@4.0.0","tinymce@6.8.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-29881.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"}]}