TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows att…

TinyMCE, an open source rich text editor, contains a stored XSS vulnerability in versions prior to 5.11.1, 7.9.3, and 8.5.1. Attackers can exploit forged mce:protected comments to bypass sanitization and inject malicious scripts that execute when content is restored. The vulnerability specifically impacts users who utilize the protect option in TinyMCE. This security flaw allows for script injection that persists in stored content, creating a significant security risk for applications using affected versions. The issue has been addressed in the latest versions 5.11.1, 7.9.3, and 8.5.1.