CVE-2020-17480

Published: Aug 10, 2020Modified: Jun 17, 2026

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.

Affected (2)

Products: Tiny: Tinymce

Tiny

1 product

Tinymce

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Tiny Tinymce	Before 4.9.7
Tiny Tinymce	From 5.0.0 to 5.1.4

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/tinymce/tinymce/security/advisories/GHSA-27gm-ghr9-4v95

Source: cve@mitre.org

ExploitRelease NotesThird Party Advisory

https://www.tiny.cloud/docs/release-notes/release-notes514/#securityfixes

Source: cve@mitre.org

Release NotesVendor Advisory

https://github.com/tinymce/tinymce/security/advisories/GHSA-27gm-ghr9-4v95

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitRelease NotesThird Party Advisory

https://www.tiny.cloud/docs/release-notes/release-notes514/#securityfixes

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.