CVE-2024-43368: Trix has a cross-site Scripting vulnerability on copy & paste
The Trix editor, versions prior to 2.1.4, is vulnerable to XSS when pasting malicious code. This vulnerability is a bypass of the fix put in place for https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99. In https://github.com/basecamp/trix/pull/1149, we added sanitation for Trix attachments with a text/html content type. However, Trix only checks the content type on the paste event’s dataTransfer object. As long as the dataTransfer has a content type of text/html, Trix parses its contents and creates an Attachment with them, even if the attachment itself doesn’t have a text/html content type. Trix then uses the attachment content to set the attachment element’s innerHTML.
References
- developer.mozilla.org/en-US/docs/Web/API/DataTransfer
- github.com/advisories/GHSA-qm2q-9f3q-2vcv
- github.com/basecamp/trix
- github.com/basecamp/trix/commit/7656f578af0d03141a72a9d27cb3692e6947dae6
- github.com/basecamp/trix/pull/1149
- github.com/basecamp/trix/pull/1156
- github.com/basecamp/trix/releases/tag/v2.1.4
- github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99
- github.com/basecamp/trix/security/advisories/GHSA-qm2q-9f3q-2vcv
- nvd.nist.gov/vuln/detail/CVE-2024-43368
Code Behaviors & Features
Detect and mitigate CVE-2024-43368 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →