Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-78122

Upgrade tinyMCE to >= 7.0.0 to mitigate CVE-2024-29881/29203

XMLWordPrintable

      Issue Summary

      The current tinyMCE version used on the latest version of Jira is 5.10.9.
      There are two outstanding CVEs between the delta of 5.10.9 to 7.0.0 that don't seem to be backported yet:

      1. CVE-2024-29881 Detail - NVD
      2. CVE-2024-29203 Detail - NVD

      Both are cross-site scripting (XSS) vulnerabilities that are medium severity.

      This is reproducible on Data Center: (yes) / (no)

      Steps to Reproduce

      1. On a Jira issue, follow the inline script element that is referenced as part of the Editor Plugin package:
        1. <script src="/s/../../7.5.4/_/download/resources/com.atlassian.jira.plugins.jira-editor-plugin:tinymce/tinymce.js?batch=false"></script>
      2. Inside tinymce.js, confirm the current version is under 7.0.0 (current latest is Version: 5.10.9 (2023-11-15))

      Expected Results

      • To mitigate the CVE, tinyMCE could be upgraded and investigated for its implementation inline with CVE.

      Actual Results

      • Current tinyMCE versions are in scope of CVE.

      Workaround

      Currently, there is no known workaround for this behaviour. A workaround will be added here when available

              Unassigned Unassigned
              9473a4f264f2 Nicole Reichert
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: