The cross-site scripting flaw could enable arbitrary code execution, information disclosure – and even account takeover. A high-severity flaw has been disclosed in TinyMCE, an open-source text editor used in the content management systems (CMS) of websites.
https://threatpost.com/high-severity-tinymce-cross-site-scripting-flaw-fixed/158306/
https://threatpost.com/high-severity-tinymce-cross-site-scripting-flaw-fixed/158306/