CVE-2024-34341 MEDIUM

CVE-2024-34341: The Trix Editor Contains an Arbitrary Code Execution Vulnerability

Vendor Basecamp
Product trix
Weakness CWE-79 · XSS
Published May 7, 2024
Last update August 2, 2024

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Trix is a rich text editor. The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.

Key dates

02Disclosure timeline

May 7, 2024 CVE published
August 2, 2024 Record updated