Bug 1091438 (CVE-2012-4230)

Summary: CVE-2012-4230 tinymce: XSS attacks via security policy bypass
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: christoph.wickert, gwync, mhlavink, mrunge, paulo.cesar.pereira.de.andrade, rbean, tmraz, yuwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:32:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1091439, 1091440, 1091441, 1091442, 1091443, 1091444, 1091445    
Bug Blocks:    

Description Vincent Danen 2014-04-25 15:13:06 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-4230 to
the following vulnerability:

Name: CVE-2012-4230
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4230
Assigned: 20120809
Reference: FULLDISC:20130311 XSS Vulnerability in TinyMCE
Reference: http://seclists.org/fulldisclosure/2013/Mar/114
Reference: http://packetstormsecurity.com/files/120750/TinyMCE-3.5.8-Cross-Site-Scripting.html
Reference: http://www.madirish.net/554
Reference: http://www.securityfocus.com/bid/58424
Reference: OSVDB:91130
Reference: http://osvdb.org/91130
Reference: XF:tinymce-htmlentities-xss(82744)
Reference: http://xforce.iss.net/xforce/xfdb/82744

The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the
TinyMCE security policy for the (1) encoding directive and (2)
valid_elements attribute, which allows attackers to conduct cross-site
scripting (XSS) attacks via application-specific vectors, as
demonstrated using a textarea element.


NOTE: diff'ing upstream 3.5.10 to 3.5.8 reveals no changes in the bbcode plugin.  While there are changes to this plugin from 3.5.8 to 4.0.23, I do not know if this is corrected (the changelog does not indicate that it is).  As a result, I do not believe this is yet corrected upstream.
Comment 1 Vincent Danen 2014-04-25 15:14:57 UTC 
Created sagemath tracking bugs for this issue:

Affects: fedora-all [bug 1091442]
Comment 2 Vincent Danen 2014-04-25 15:15:01 UTC 
Created roundcubemail tracking bugs for this issue:

Affects: fedora-all [bug 1091441]
Affects: epel-6 [bug 1091445]
Comment 3 Vincent Danen 2014-04-25 15:15:06 UTC 
Created tinymce tracking bugs for this issue:

Affects: fedora-all [bug 1091439]
Affects: epel-6 [bug 1091443]
Comment 4 Vincent Danen 2014-04-25 15:15:09 UTC 
Created python-django-tinymce tracking bugs for this issue:

Affects: fedora-all [bug 1091440]
Affects: epel-6 [bug 1091444]
Comment 5 Fedora Update System 2014-12-19 18:26:49 UTC 
sagemath-6.3-5.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-12-21 06:41:08 UTC 
sagemath-6.1.1-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-01-06 02:05:55 UTC 
roundcubemail-1.0.4-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-01-06 02:08:21 UTC 
roundcubemail-1.0.4-2.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2015-01-06 06:13:20 UTC 
roundcubemail-1.0.4-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2015-01-06 06:16:14 UTC 
roundcubemail-1.0.4-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Neal Gompa 2015-05-16 14:07:51 UTC 
To the best of my knowledge, this is still not corrected upstream.
Comment 12 Product Security DevOps Team 2019-06-08 02:32:42 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.