Home > Vulnerability Database > CVE-2024-34341

Mend.io Vulnerability Database

CVE-2024-34341

Good to know:

Date: May 7, 2024

Trix is a rich text editor. The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.

Language: JS

Severity Score

5.4

Related Resources (22)

Url: https://discuss.rubyonrails.org/t/xss-vulnerabilities-in-trix-editor/85803

Url: https://rubyonrails.org/2024/5/17/Rails-Versions-7-0-8-2-and-7-1-3-3-have-been-released

Url: https://github.com/basecamp/trix/commit/7656f578af0d03141a72a9d27cb3692e6947dae6

Url: https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99

Url: https://github.com/basecamp/trix/security/advisories/GHSA-qm2q-9f3q-2vcv

Url: https://github.com/basecamp/trix

Url: https://github.com/basecamp/trix/pull/1149

Url: https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad

Url: https://github.com/rails/rails/commit/73fac32511eefdd45d8f00fecc2b8cc5408ea6d5

Url: https://github.com/basecamp/trix/pull/1147

Url: https://github.com/basecamp/trix/pull/1156

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-34341

Url: https://developer.mozilla.org/en-US/docs/Web/API/DataTransfer

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-34341.yml

Url: https://github.com/rails/rails/commit/260cb392fc1ee91d0b749cff08d1c8d54b230bd3

Url: https://rubyonrails.org/2024/5/17/Rails-Versions-7-0-8-3-has-been-released

Url: https://github.com/basecamp/trix/releases/tag/v2.1.1

Url: https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554

Url: https://github.com/rails/rails/commit/07e6c88cc4defe6f6b8d28e79eb13a518e15b14c

Url: https://github.com/basecamp/trix/releases/tag/v2.1.4

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-43368

Url: https://www.mend.io/vulnerability-database/CVE-2024-34341

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version trix - 1.3.2;trix - 2.1.1;trix - 2.1.4;actiontext - 7.0.8.3;actiontext - 7.1.3.3;trix - 2.1.1;trix - 2.1.4

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-34341

Good to know:

Date: May 7, 2024

Language: JS

Severity Score

Related Resources (22)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?