SS-2014-009: Potential DoS exploit in TinyMCE
- Low (?)
- Versions Affected:
- 3.1.4, 3.0.10, and all versions before
- Release Date:
Vulnerability has been found in Framework's TinyMCE version where an attacker can leverage the compressor to generate large responses that are also cached on disk.
The impact of this issue is limited by the URL length cap enforced by webservers and Suhosin, and is dependent on the availability of zlib on the server - substantially larger responses can be generated if zlib is not installed.
Framework's version of TinyMCE has been patched to filter parameters responsible for this and a fix has been submitted and merged into upstream TinyMCE which will independently make it's way to the next major/minor version of the Framework.