CVSS Score: 6.5 Published: 2024-08-14 Full Report: https://cvereports.com/reports/CVE-2024-43368
A logic flaw in Trix Editor's attachment handling allowed attackers to bypass XSS protections by simply mislabeling the content type of malicious payloads.
Developers patched an XSS vulnerability by sanitizing content labeled as 'text/html'. Attackers bypassed this by labeling their malicious HTML as literally anything else (e.g., 'text/anything'). The renderer, ignoring the label, executed the code via innerHTML anyway. Fixed in version 2.1.4.
- CWE ID: CWE-79 (Cross-site Scripting)
- CVSS v3.1: 6.5 (Medium)
- Attack Vector: Network (User Interaction Required)
- Impact: Confidentiality & Integrity (High)
- Exploit Status: PoC Available
- Patch Status: Fixed in v2.1.4
- Basecamp Trix Editor
- Ruby on Rails applications using the actiontext gem (older versions)
- Any web application embedding Trix < 2.1.4
- Trix: < 2.1.4 (Fixed in:
2.1.4)
- Strict Content Security Policy (CSP) to restrict script sources.
- Always sanitize data at the sink (rendering point), not just at the source.
- Treat all user input as untrusted, regardless of metadata labels.
Remediation Steps:
- Upgrade Trix Editor to version 2.1.4 or later immediately.
- If upgrading is not possible, patch
src/trix/views/attachment_view.jsto use a sanitizer before assigninginnerHTML.
Generated by CVEReports - Automated Vulnerability Intelligence