Description
Trix is a rich text editor. The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.
References (6)
Core 6
Core References
Vendor Advisory x_refsource_confirm
https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99
Issue Tracking x_refsource_misc
https://github.com/basecamp/trix/pull/1147
Issue Tracking x_refsource_misc
https://github.com/basecamp/trix/pull/1149
Patch x_refsource_misc
https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad
Patch x_refsource_misc
https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554
Release Notes x_refsource_misc
https://github.com/basecamp/trix/releases/tag/v2.1.1
Scores
CVSS v3
5.4
EPSS
0.0041
EPSS Percentile
61.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
basecamp/trix
< 2.1.1
npm/trix
2.0.0 - 2.1.1npm
rubygems/actiontext
7.0.0.alpha1 - 7.0.8.3RubyGems
Published
May 07, 2024
Tracked Since
Feb 18, 2026