VDB

CVE-2024-43368

CVE-2024-43368 PUBLISHED CVSS 6.5 MEDIUM

The Trix editor, versions prior to 2.1.4, is vulnerable to XSS when pasting malicious code. This vulnerability is a bypass of the fix put in place for GHSA-qjqp-xr96-cj99. In pull request 1149, sanitation was added for Trix attachments with a `text/html` content type. However, Trix only checks the content type on the paste event's `dataTransfer` object. As long as the `dataTransfer` has a content type of `text/html`, Trix parses its contents and creates an `Attachment` with them, even if the attachment itself doesn't have a `text/html` content type. Trix then uses the attachment content to set the attachment element's `innerHTML`. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. This vulnerability was fixed in version 2.1.4.

EPSS 0.39% · 60.5th percentile

Risk Scores

CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score
0.39%
60.5th percentile

Affected Products

VendorProductVersions
npmtrix0
basecamptrix0
basecamptrix< 2.1.4

Exploit Intelligence

…and 110 more exploits

Timeline

  • Jan 20, 1970 Fix PR Merged
  • Jan 20, 1970 Fix PR Merged
  • Jan 21, 1970 Security Advisory
  • Aug 14, 2024 CVE Published
  • Aug 15, 2024 EPSS Score
  • Sep 5, 2024 EPSS Score
  • Sep 26, 2024 EPSS Score
  • Oct 4, 2024 Coalition ESS Score
  • Oct 16, 2024 EPSS Score
  • Nov 6, 2024 EPSS Score
  • Nov 27, 2024 EPSS Score
  • Dec 19, 2024 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›