tinymce · kemister85 · Jun 19, 2024 · Jun 19, 2024 · Jun 19, 2024
@@ -407,6 +407,9 @@
 ** xref:tinymce-and-cors.adoc[Cross-Origin Resource Sharing (CORS)]
 * Release information
 ** xref:release-notes.adoc[Release notes for {productname} 6]
+*** {productname} 6.8.4
+**** xref:6.8.4-release-notes.adoc#overview[Overview]
+**** xref:6.8.4-release-notes.adoc#security-fix[Security fix]
 *** {productname} 6.8.3
 **** xref:6.8.3-release-notes.adoc#overview[Overview]
 **** xref:6.8.3-release-notes.adoc#accompanying-premium-self-hosted-server-side-component-changes[Accompanying Premium self-hosted server-side component changes]

@@ -0,0 +1,45 @@
+= TinyMCE {release-version}
+:release-version: 6.8.4
+:navtitle: TinyMCE {release-version}
+:description: Release notes for TinyMCE {release-version}
+:keywords: releasenotes, new, changes, bugfixes
+:page-toclevels: 1
+
+include::partial$misc/admon-releasenotes-for-stable.adoc[]
+
+[[overview]]
+== Overview
+
+{productname} {release-version} was released for {enterpriseversion} and {cloudname} on Wednesday, June 19^th^, 2024. These release notes provide an overview of the changes for {productname} {release-version}, including:
+
+* xref:security-fixes[Security fixes]
+
+
+[[security-fixes]]
+== Security fixes
+
+{productname} 6.8.4 includes two fixes for the following security issues:
+
+=== HTML entities that were double decoded in `noscript` elements caused an XSS vulnerability.
+// #TINY-11019
+
+A https://owasp.org/www-community/attacks/xss/[cross-site scripting] (XSS) vulnerability was discovered in {productname}'s content parsing code. This allowed specially crafted `noscript` elements containing malicious code to be executed when that content was loaded into the editor.
+
+This vulnerability has been patched in {productname} 7.2.0, {productname} {release-version} and {productname} 5.11.0 LTS by ensuring that content within `noscript` elements are properly parsed.
+
+GHSA: link:https://github.com/tinymce/tinymce/security/advisories/GHSA-w9jx-4g6g-rp7x[GitHub Advisory].
+
+CVE: Pending.
+
+NOTE: Tiny Technologies would like to thank link:https://malavkhatri.com/[Malav Khatri (devilbugbounty)] and another reported for discovering this vulnerability.
+
+=== It was possible to inject XSS HTML that was not matching the regexp when using the `noneditable_regexp` option.
+// #TINY-11022
+
+A https://owasp.org/www-community/attacks/xss/[cross-site scripting] (XSS) vulnerability was discovered in {productname}'s content extraction code. When using the `noneditable_regexp` option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor.
+
+This vulnerability has been patched in {productname} 7.2.0, {productname} {release-version} and {productname} 5.11.0 LTS by ensuring that, when using the `noneditable_regexp` option, any content within an attribute is properly verified to match the configured regular expression before being added.
+
+GHSA: link:https://github.com/tinymce/tinymce/security/advisories/GHSA-9hcv-j9pv-qmph[GitHub Advisory].
+
+CVE: Pending.
@@ -4,6 +4,12 @@
 
 NOTE: This is the {productname} Community version changelog. For information about the latest {cloudname} or {enterpriseversion} Release, see: xref:release-notes.adoc[{productname} Release Notes].
 
+## 6.8.4 - 2024-06-19
+
+=== Fixed
+* HTML entities that were double decoded in `noscript` elements caused an XSS vulnerability.
+* It was possible to inject XSS HTML that was not matching the regexp when using the `noneditable_regexp` option.
+
 == 6.8.3 - 2024-02-08
 
 === Changed

@@ -9,6 +9,12 @@ This section lists the releases for {productname} 6 and the changes made in each
 [cols="1,1"]
 |===
 
+a|
+[.lead]
+xref:6.8.4-release-notes.adoc#overview[{productname} 6.8.4]
+
+Release notes for {productname} 6.8.4
+
 a|
 [.lead]
 xref:6.8.3-release-notes.adoc#overview[{productname} 6.8.3]