Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2014-009: Potential DoS exploit in TinyMCE

Severity:
Low (?)
Identifier:
SS-2014-009
Versions Affected:
3.1.4, 3.0.10, and all versions before
Release Date:
2014-05-07

Vulnerability has been found in Framework's TinyMCE version where an attacker can leverage the compressor to generate large responses that are also cached on disk.

The impact of this issue is limited by the URL length cap enforced by webservers and Suhosin, and is dependent on the availability of zlib on the server - substantially larger responses can be generated if zlib is not installed.

Framework's version of TinyMCE has been patched to filter parameters responsible for this and a fix has been submitted and merged into upstream TinyMCE which will independently make it's way to the next major/minor version of the Framework.