From 889245d50cf2385caebbf0c74ace79625240d784 Mon Sep 17 00:00:00 2001 From: Karl Kemister-Sheppard Date: Wed, 19 Jun 2024 19:33:10 +1000 Subject: [PATCH 1/2] DOC-2457: TinyMCE 6.8.4 Security Patch. --- modules/ROOT/nav.adoc | 3 ++ modules/ROOT/pages/6.8.4-release-notes.adoc | 45 +++++++++++++++++++++ modules/ROOT/pages/changelog.adoc | 6 +++ modules/ROOT/pages/release-notes.adoc | 6 +++ 4 files changed, 60 insertions(+) create mode 100644 modules/ROOT/pages/6.8.4-release-notes.adoc diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index 9a27854e01..c74f2cf932 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -407,6 +407,9 @@ ** xref:tinymce-and-cors.adoc[Cross-Origin Resource Sharing (CORS)] * Release information ** xref:release-notes.adoc[Release notes for {productname} 6] +*** {productname} 6.8.4 +**** xref:6.8.4-release-notes.adoc#overview[Overview] +**** xref:6.8.4-release-notes.adoc#security-fix[Security fix] *** {productname} 6.8.3 **** xref:6.8.3-release-notes.adoc#overview[Overview] **** xref:6.8.3-release-notes.adoc#accompanying-premium-self-hosted-server-side-component-changes[Accompanying Premium self-hosted server-side component changes] diff --git a/modules/ROOT/pages/6.8.4-release-notes.adoc b/modules/ROOT/pages/6.8.4-release-notes.adoc new file mode 100644 index 0000000000..1c51276731 --- /dev/null +++ b/modules/ROOT/pages/6.8.4-release-notes.adoc @@ -0,0 +1,45 @@ += TinyMCE {release-version} +:release-version: 6.8.4 +:navtitle: TinyMCE {release-version} +:description: Release notes for TinyMCE {release-version} +:keywords: releasenotes, new, changes, bugfixes +:page-toclevels: 1 + +include::partial$misc/admon-releasenotes-for-stable.adoc[] + +[[overview]] +== Overview + +{productname} {release-version} was released for {enterpriseversion} and {cloudname} on Wednesday, June 19^th^, 2024. These release notes provide an overview of the changes for {productname} {release-version}, including: + +* xref:security-fixes[Security fixes] + + +[[security-fixes]] +== Security fixes + +{productname} 6.8.4 includes two fixes for the following security issues: + +=== HTML entities that were double decoded in `noscript` elements caused an XSS vulnerability. +// #TINY-11019 + +A https://owasp.org/www-community/attacks/xss/[cross-site scripting] (XSS) vulnerability was discovered in {productname}'s content parsing code. This allowed specially crafted `noscript` elements containing malicious code to be executed when that content was loaded into the editor. + +This vulnerability has been patched in {productname} 7.2.0, {productname} {release-version} and {productname} 5.11.0 LTS by ensuring that content within `noscript` elements are properly parsed. + +GHSA: link:https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x[GitHub Advisory]. + +CVE: Pending. + +NOTE: Tiny Technologies would like to thank link:https://malavkhatri.com/[Malav Khatri (devilbugbounty)] and another reported for discovering this vulnerability. + +=== It was possible to inject XSS HTML that was not matching the regexp when using the `noneditable_regexp` option. +// #TINY-11022 + +A https://owasp.org/www-community/attacks/xss/[cross-site scripting] (XSS) vulnerability was discovered in {productname}'s content extraction code. When using the `noneditable_regexp` option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor. + +This vulnerability has been patched in {productname} 7.2.0, {productname} {release-version} and {productname} 5.11.0 LTS by ensuring that, when using the `noneditable_regexp` option, any content within an attribute is properly verified to match the configured regular expression before being added. + +GHSA: link:https://github.com/tinymce/tinymce/security/advisories/GHSA-9hcv-j9pv-qmph[GitHub Advisory]. + +CVE: Pending. \ No newline at end of file diff --git a/modules/ROOT/pages/changelog.adoc b/modules/ROOT/pages/changelog.adoc index cab2bbe5cf..90ac7ae4a6 100644 --- a/modules/ROOT/pages/changelog.adoc +++ b/modules/ROOT/pages/changelog.adoc @@ -4,6 +4,12 @@ NOTE: This is the {productname} Community version changelog. For information about the latest {cloudname} or {enterpriseversion} Release, see: xref:release-notes.adoc[{productname} Release Notes]. +## 6.8.4 - 2024-06-19 + +=== Fixed +* HTML entities that were double decoded in `noscript` elements caused an XSS vulnerability. +* It was possible to inject XSS HTML that was not matching the regexp when using the `noneditable_regexp` option. + == 6.8.3 - 2024-02-08 === Changed diff --git a/modules/ROOT/pages/release-notes.adoc b/modules/ROOT/pages/release-notes.adoc index 31d9ba9095..f9fa1265ab 100644 --- a/modules/ROOT/pages/release-notes.adoc +++ b/modules/ROOT/pages/release-notes.adoc @@ -9,6 +9,12 @@ This section lists the releases for {productname} 6 and the changes made in each [cols="1,1"] |=== +a| +[.lead] +xref:6.8.4-release-notes.adoc#overview[{productname} 6.8.4] + +Release notes for {productname} 6.8.4 + a| [.lead] xref:6.8.3-release-notes.adoc#overview[{productname} 6.8.3] From 6523cbae142c2f0593b2056425a8bc68156ba386 Mon Sep 17 00:00:00 2001 From: Karl Kemister-Sheppard Date: Wed, 19 Jun 2024 19:57:44 +1000 Subject: [PATCH 2/2] Update modules/ROOT/pages/6.8.4-release-notes.adoc --- modules/ROOT/pages/6.8.4-release-notes.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/6.8.4-release-notes.adoc b/modules/ROOT/pages/6.8.4-release-notes.adoc index 1c51276731..29fb9fccbd 100644 --- a/modules/ROOT/pages/6.8.4-release-notes.adoc +++ b/modules/ROOT/pages/6.8.4-release-notes.adoc @@ -31,7 +31,7 @@ GHSA: link:https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g CVE: Pending. -NOTE: Tiny Technologies would like to thank link:https://malavkhatri.com/[Malav Khatri (devilbugbounty)] and another reported for discovering this vulnerability. +NOTE: Tiny Technologies would like to thank link:https://malavkhatri.com/[Malav Khatri (devilbugbounty)] and another reporter for discovering this vulnerability. === It was possible to inject XSS HTML that was not matching the regexp when using the `noneditable_regexp` option. // #TINY-11022