Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Tinymce Subscribe
Total 7 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2012-6112 2 Moodle, Tinymce 2 Moodle, Spellchecker Php 2020-12-01 5.0 MEDIUM N/A
classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string.
CVE-2012-4230 1 Tinymce 1 Tinymce 2017-08-28 4.3 MEDIUM N/A
The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyMCE security policy for the (1) encoding directive and (2) valid_elements attribute, which allows attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors, as demonstrated using a textarea element.
CVE-2012-3414 3 Swfupload Project, Tinymce, Wordpress 3 Swfupload, Image Manager, Wordpress 2016-12-07 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function.
CVE-2014-3844 2 Tinymce, Wordpress 2 Color Picker, Wordpress 2014-06-27 5.0 MEDIUM N/A
The TinyMCE Color Picker plugin before 1.2 for WordPress does not properly check permissions, which allows remote attackers to modify plugin settings via unspecified vectors. NOTE: some of these details are obtained from third party information.
CVE-2014-3845 2 Tinymce, Wordpress 2 Color Picker, Wordpress 2014-06-27 6.8 MEDIUM N/A
Cross-site request forgery (CSRF) vulnerability in the TinyMCE Color Picker plugin before 1.2 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that change plugin settings via unknown vectors. NOTE: some of these details are obtained from third party information.
CVE-2013-2204 2 Tinymce, Wordpress 2 Media, Wordpress 2013-08-13 4.3 MEDIUM N/A
moxieplayer.as in Moxiecode moxieplayer, as used in the TinyMCE Media plugin in WordPress before 3.5.2 and other products, does not consider the presence of a # (pound sign) character during extraction of the QUERY_STRING, which allows remote attackers to pass arbitrary parameters to a Flash application, and conduct content-spoofing attacks, via a crafted string after a ? (question mark) character.
CVE-2011-4825 3 Phpletter, Phpmyfaq, Tinymce 3 Ajax File And Image Manager, Phpmyfaq, Tinymce 2011-12-15 7.5 HIGH N/A
Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters.