FKIE_CVE-2024-34341

Vulnerability from fkie_nvd - Published: 2024-05-07 16:15 - Updated: 2024-11-21 09:18
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
Trix is a rich text editor. The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.
References
security-advisories@github.comhttps://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad
security-advisories@github.comhttps://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554
security-advisories@github.comhttps://github.com/basecamp/trix/pull/1147
security-advisories@github.comhttps://github.com/basecamp/trix/pull/1149
security-advisories@github.comhttps://github.com/basecamp/trix/releases/tag/v2.1.1
security-advisories@github.comhttps://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99
af854a3a-2127-422b-91ae-364da2661108https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad
af854a3a-2127-422b-91ae-364da2661108https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554
af854a3a-2127-422b-91ae-364da2661108https://github.com/basecamp/trix/pull/1147
af854a3a-2127-422b-91ae-364da2661108https://github.com/basecamp/trix/pull/1149
af854a3a-2127-422b-91ae-364da2661108https://github.com/basecamp/trix/releases/tag/v2.1.1
af854a3a-2127-422b-91ae-364da2661108https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Trix is a rich text editor. The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content."
    },
    {
      "lang": "es",
      "value": "Trix es un editor de texto enriquecido. El editor Trix, versiones anteriores a la 2.1.1, es vulnerable a la ejecuci\u00f3n de c\u00f3digo arbitrario al copiar y pegar contenido de la web u otros documentos con marcado en el editor. La vulnerabilidad surge de una sanitizaci\u00f3n inadecuada del contenido pegado, lo que permite a un atacante incrustar scripts maliciosos que se ejecutan dentro del contexto de la aplicaci\u00f3n. Los usuarios deben actualizar a la versi\u00f3n 2.1.1 o posterior del editor Trix, que incorpora una sanitizaci\u00f3n adecuada de la entrada del contenido copiado."
    }
  ],
  "id": "CVE-2024-34341",
  "lastModified": "2024-11-21T09:18:27.890",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-07T16:15:08.217",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/basecamp/trix/pull/1147"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/basecamp/trix/pull/1149"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/basecamp/trix/releases/tag/v2.1.1"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/basecamp/trix/pull/1147"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/basecamp/trix/pull/1149"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/basecamp/trix/releases/tag/v2.1.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.