What is the security issue?
This vulnerability can be mitigated with holistic XSS protections from the application, such as a strict content security policy (CSP), or by updating TinyMCE to version 4.9.11 or 5.4.1.
Applying security updates
Our users consume TinyMCE through several channels, so the patching process is different for each.
Open Source users typically consume TinyMCE via NPM. These users should use their package manager (typically NPM or Yarn) to update the package.
Our commercial users consume TinyMCE through our cloud or self-hosted offerings.
Cloud users add TinyMCE to their web pages using a script tag with a URL like this one below, filling in
MY_API_KEY with their API Key shown in My Account.
Note the "5" in the URL – this denotes the major version of TinyMCE. Any users using this URL will automatically receive the update. Some users may be using "4" or "stable" – these users will receive the security fixes, but we strongly recommend that they switch to "5" to get the latest updates.
Self-hosted customers can download updates to TinyMCE through My Account.
TinyMCE & security
TinyMCE is a web-based rich text editor. It loads HTML content, provides a powerful editing experience, then allows the content to be retrieved, for example, to publish on a web page. It is a component that's integrated into many web-based user interfaces – typically Content Management Systems (CMS) and Learning Management Systems (LMS).
We also recommend the use of a Content Security Policy to further mitigate XSS vectors.
Tiny's security response process
Security is very important to us and our users, so security issues are given the highest priority of any type of issue at Tiny.
Anyone discovering a vulnerability may report it by emailing firstname.lastname@example.org. Tiny customers may also log issues through the Tiny support system.
When security issues are reported, our InfoSec team assesses the severity and impact of the issue and decides on a course of action. If the issue requires a change to a product, we consult with the relevant engineering team, and the issue is given top priority. The issue will be addressed in all supported versions, first in any open source versions, then immediately in our commercial versions.
Once the issue is fixed in the commercial versions, we issue security alerts. GitHub security reports are great for this, as GitHub is such a well-known system, and it integrates well into many company's patching workflow.
Our InfoSec team also holds a quarterly review to discuss all issues raised in the quarter, and to make process improvements going forward.