CVE-2024-34341

Aliases:GHSA-qjqp-xr96-cj99
Advisory lineage Upstream: 0 Downstream: 4
Deferred
Published: 07 May 2024, 15:13
Last modified:02 Aug 2024, 02:51

Vulnerability Summary

Overall Risk (default)
low
22/100
CVSS Score
5.4 MEDIUM
v3.1 (cve.org)
EPSS Score
0.55% LOW
1% probability +0.14%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

07 May 2024, 15:13
Published
Vulnerability first disclosed
02 Aug 2024, 02:51
Last Modified
Vulnerability information updated

Description

Trix is a rich text editor. The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.

CVSS Metrics

  • v3.1MEDIUMScore: 5.4CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS Trends

Current EPSS score: 0.55% Percentile: 68%

Techniques & Countermeasures

  • CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Affected Systems

  • basecamptrix

    < 2.1.1

  • RubyGemsactiontext

    ≥ 7.0.0.alpha1, < 7.0.8.3 | ≥ 7.1.0.beta1, < 7.1.3.3

  • Npmtrix

    ≥ 2.0.0, < 2.1.1 | ≥ 0.9.0, < 1.3.2

References (15)