tinyMCE - XSS vulnerability on versions under 4.7.12, in links with XLINK:HREF attributes
Impact area
Security
Severity
High
Affected element
ServiceNow
UI Script
Salesforce
Static Resource
Rule number
SN-JSL-TINYMCE-LESSTHAN-V412 (for ServiceNow)
SF-JSL-TINYMCE-LESSTHAN-V412 (for Salesforce)
Impact
tinyMCE in versions before 4.7.12 allows XSS attacks through links with XLINK:HREF attributes.
Remediation
Update tinyMCE to the latest version.
Time to fix
30 min
References
This rule is linked to Common Weakness Enumeration CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')..