TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows att…

TinyMCE, an open source rich text editor, contains a stored XSS vulnerability in versions prior to 5.11.1, 7.9.3, and 8.5.1. The vulnerability allows attackers to bypass sanitization through forged mce:protected comments and inject scripts that execute when content is restored. This specifically impacts users who utilize the protect option in TinyMCE. The vulnerability enables script injection that persists in stored content and executes upon content restoration. Fixed versions are available: 5.11.1, 7.9.3, and 8.5.1.