Exposure of tinyMCE js source code with plugin version disclosure which can leads to exploit further attacks. Secer's Blog

severity_rating: low created_at: 2018-12-15 06:04:39 vendor: ratelimited https://hackerone.com/ratelimited bounty_amount:

Hello Security Team

Summary : When looking for links and trying for content discovery i found a link on domain support.theendlessweb.com

https://support.theendlessweb.com/__swift/apps/base/javascript/__global/thirdparty/TinyMCE/tinymce.min.js

It contains the tinyMCE plugin and the version they are using and also disclosing some source code .

tiny MCE version used : 4.3.12 (2016-05-10)

https://support.theendlessweb.com/__swift/apps/base/javascript/__global/thirdparty/TinyMCE
above mentioned link when searched gives a 403 access denied which means nobody is allowed to view the contents but appending the js file to the link displaying the plugin code .

With Regards
Wolfdroid

Jai Shree Krishna

Impact

Leaking of plugin versions can lead to a successful attack. An Attacker can look for exploits in this particular version and can execute an attack to harm the website.

Exposure of tinyMCE js source code with plugin version disclosure which can leads to exploit further attacks.

Impact

Hacking more