fkie_cve-2024-34341
Vulnerability from fkie_nvd
Published
2024-05-07 16:15
Modified
2024-11-21 09:18
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
Trix is a rich text editor. The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.
References
security-advisories@github.comhttps://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad
security-advisories@github.comhttps://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554
security-advisories@github.comhttps://github.com/basecamp/trix/pull/1147
security-advisories@github.comhttps://github.com/basecamp/trix/pull/1149
security-advisories@github.comhttps://github.com/basecamp/trix/releases/tag/v2.1.1
security-advisories@github.comhttps://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99
af854a3a-2127-422b-91ae-364da2661108https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad
af854a3a-2127-422b-91ae-364da2661108https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554
af854a3a-2127-422b-91ae-364da2661108https://github.com/basecamp/trix/pull/1147
af854a3a-2127-422b-91ae-364da2661108https://github.com/basecamp/trix/pull/1149
af854a3a-2127-422b-91ae-364da2661108https://github.com/basecamp/trix/releases/tag/v2.1.1
af854a3a-2127-422b-91ae-364da2661108https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Trix is a rich text editor. The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content."
    },
    {
      "lang": "es",
      "value": "Trix es un editor de texto enriquecido. El editor Trix, versiones anteriores a la 2.1.1, es vulnerable a la ejecuci\u00f3n de c\u00f3digo arbitrario al copiar y pegar contenido de la web u otros documentos con marcado en el editor. La vulnerabilidad surge de una sanitizaci\u00f3n inadecuada del contenido pegado, lo que permite a un atacante incrustar scripts maliciosos que se ejecutan dentro del contexto de la aplicaci\u00f3n. Los usuarios deben actualizar a la versi\u00f3n 2.1.1 o posterior del editor Trix, que incorpora una sanitizaci\u00f3n adecuada de la entrada del contenido copiado."
    }
  ],
  "id": "CVE-2024-34341",
  "lastModified": "2024-11-21T09:18:27.890",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-07T16:15:08.217",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/basecamp/trix/pull/1147"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/basecamp/trix/pull/1149"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/basecamp/trix/releases/tag/v2.1.1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/basecamp/trix/pull/1147"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/basecamp/trix/pull/1149"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/basecamp/trix/releases/tag/v2.1.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.