Security Scan reports vulnerable TinyMCE version lib. #10217
Comments
|
Hi @MrenGit Thanks for bringing this to our attention. We'll take a look and let you know what we decide. Emma |
emma-hq
added
the
state/needs-investigation
|
Heyo, Is there any update on this, it's currently a pretty major blocker for one of our projects. |
|
@MrenGit We previously looked into an upgrade and it is currently infeasible to upgrade to v5 of Tiny: https://github.com/umbraco/rfcs/blob/main/cms/0016-TinyMCE-RTE-Improvements.md There are 2 vulnerabilities here (with the same root cause), that are both marked with "moderate severity". Both are due to a lack of URL sanitation. Number 2 doesn't affect standard installs of Umbraco, we don't allow If this is a blocker for you, the fix here is to remove What is needed for an attack?The one thing we can imagine is that a user in the backoffice with intimate knowledge of both this TinyMce vulnerability AND intimate knowledge of the inner workings of Umbraco could potentially be able to devise a URL which, when executed by an admin, might elevate the editors user account to admin. It has to be noted that this is currently a theoretical attack, we don't know if this is actually possible. Our ratingFor now, we rate the severity as "low" since
However, over time someone might create a simple URL that leads to an exploit, so this should be addressed in how we configure TinyMCE. As such, we think it's safe to use the current version as is but we'll have to discuss with the team what mitigations we could put in place, using the guidance provided by Tiny in both vulnerability reports. |
|
Thanks so much for this @nul800sebastiaan, that is exacly what I needed 😃 |
|
Hey @nul800sebastiaan, hope all is well. This is more of a formality than anything due a client wanting to follow up on this issue, but are you able to provide a potential timing plan for a fix for this issue, or even if there is one. Thanks P.S. I know the open source nature of Umbraco makes this a potentially impossible question, as I said it's more of a formality than anything. |
nul800sebastiaan
added
state/in-sprint
|
Sorry I didn't see your query @MMasey - this is in our current sprint now to look into. |
|
Hi @nul800sebastiaan, any news about the investigation at your side by chance? In one of our projects this vulnerability was also raised during a security scan. The workaround you mentioned is highly appreciated, but this unfortunately does not avoid the vulnerability being raised in new scans. Thanks in advance! |
nul800sebastiaan
removed
the
state/in-sprint
|
Fixed in #10653 - make sure to read the details there. For existing sites this will require active opt-in as it changes sanitization behavior which might affect your workflow. For new installs the default will be that you are opted in to the additional sanitization. |
|
Please do note: we will still get the same results in the security scans, since we can not upgrade to Tiny version 5 at this time. So when relevant you can point to this issue and the related pull request. |
A automated security scan reports TinyMCE 4.9.11 as a vulnerable version, and recommends upgrade to 5.4.0
The lib seems to be detected on the Umbraco Login page.
Are there any plans of upgrading the library?
Umbraco version
Umbraco 8.11.1, but also seems to be the case in 8.13.0
The text was updated successfully, but these errors were encountered: