[GHSA-vg35-5wq7-3x7w] TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin data-mce-object injection

[sbrinkhorst]

Updates

• Affected products

Comments
The 5.11.1 is not open source, but part of a commercial LTS contract. But it exists. If no patched version is set, the resulting range in the data is simply >0, meaning that all versions are vulnerable. This is problematic when people try to automatically process the data. The JSON contains last_known_affected_version_range in the database_specific information, but that requires more parsing.

The alternative is to use the 7.9.3 version as fixed version, because it is the earliest freely available fixed version, but that would result in false positives for users of the LTS version.

> 0, <=5.10.9 would be correct and makes sure the range is closed

[github]

Hi there @MitchC1999! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[sbrinkhorst]

Suggested change

	"fixed": "5.11.1"
	"last_affected": "5.10.9"

The web form didn't allow me to do this, but the OSV schema also supports last_affected. This is the last known open source version of the 5.x range and it is vulnerable. The database_specific part can then stay. It leaves a bit in the middle what the status of e.g. 5.11.0 is, but we simply cannot know. But at least the range is not open anymore.