SS-2014-009: Potential DoS exploit in TinyMCE

Severity:
Low (?)
Identifier:
 
SS-2014-009
Versions Affected:
 
3.1.4, 3.0.10, and all versions before
Release Date:
 
2014-05-07

Vulnerability has been found in Framework's TinyMCE version where an attacker can leverage the compressor to generate large responses that are also cached on disk.

The impact of this issue is limited by the URL length cap enforced by webservers and Suhosin, and is dependent on the availability of zlib on the server - substantially larger responses can be generated if zlib is not installed.

Framework's version of TinyMCE has been patched to filter parameters responsible for this and a fix has been submitted and merged into upstream TinyMCE which will independently make it's way to the next major/minor version of the Framework.

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.