The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyMCE security policy for the (1) encoding directive and (2) valid_elements attribute, which allows attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors, as demonstrated using a textarea element.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-04-25T10:00:00

Updated: 2024-08-06T20:28:07.592Z

Reserved: 2012-08-09T00:00:00

Link: CVE-2012-4230

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2014-04-25T14:15:30.360

Modified: 2024-11-21T01:42:29.257

Link: CVE-2012-4230

cve-icon Redhat

No data.