The tinymce media plugin has security controls that aim to mitigate Cross-Site Scripting (XSS) attacks, but did not filter script elements in the default config implementations, allowing an attacker to perform an Cross-Site Scripting (XSS) attack. References: https://snyk.io/vuln/npm:tinymce:20150610 Upstream patch: https://github.com/tinymce/tinymce/commit/9c78e4a4f9aad14f3e86094b36f163177f38c248
Created tinymce tracking bugs for this issue: Affects: epel-6 [bug 1411804] Affects: fedora-all [bug 1411805]
This should have been fixed in the 4.5.1 update that went out a few weeks ago: https://bodhi.fedoraproject.org/updates/?packages=tinymce
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.