CVE - CVE-2024-43368

CVE-ID
CVE-2024-43368	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The Trix editor, versions prior to 2.1.4, is vulnerable to XSS when pasting malicious code. This vulnerability is a bypass of the fix put in place for GHSA-qjqp-xr96-cj99. In pull request 1149, sanitation was added for Trix attachments with a `text/html` content type. However, Trix only checks the content type on the paste event's `dataTransfer` object. As long as the `dataTransfer` has a content type of `text/html`, Trix parses its contents and creates an `Attachment` with them, even if the attachment itself doesn't have a `text/html` content type. Trix then uses the attachment content to set the attachment element's `innerHTML`. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. This vulnerability was fixed in version 2.1.4.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://github.com/basecamp/trix/commit/7656f578af0d03141a72a9d27cb3692e6947dae6 URL:https://github.com/basecamp/trix/commit/7656f578af0d03141a72a9d27cb3692e6947dae6 MISC:https://github.com/basecamp/trix/pull/1149 URL:https://github.com/basecamp/trix/pull/1149 MISC:https://github.com/basecamp/trix/pull/1156 URL:https://github.com/basecamp/trix/pull/1156 MISC:https://github.com/basecamp/trix/releases/tag/v2.1.4 URL:https://github.com/basecamp/trix/releases/tag/v2.1.4 MISC:https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99 URL:https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99 MISC:https://github.com/basecamp/trix/security/advisories/GHSA-qm2q-9f3q-2vcv URL:https://github.com/basecamp/trix/security/advisories/GHSA-qm2q-9f3q-2vcv
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20240809	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240809)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)