tinyMCE - Static Code injection vulnerability on versions under 1.4.2, in inc/function.base.php
Impact area
Security
Severity
High
Affected element
ServiceNow
UI Script
Salesforce
Static Resource
Rule number
SN-JSL-TINYMCE-LESSTHAN-V142 (for ServiceNow)
SF-JSL-TINYMCE-LESSTHAN-V142 (for Salesforce)
Impact
tinyMCE in versions before 1.4.2 allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters.
Remediation
Update tinyMCE to the latest version.
Time to fix
30 min
References
This rule is linked to Common Weakness Enumeration CWE-94: Improper Control of Generation of Code ('Code Injection').