CVE-2024-53847 MEDIUM

CVE-2024-53847: Trix vulnerable to Cross-site Scripting on copy & paste

Vendor Basecamp
Product trix
Weakness CWE-79 · XSS
Published December 9, 2024
Last update December 10, 2024
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

The Trix rich text editor, prior to versions 2.1.9 and 1.3.3, is vulnerable to cross-site scripting (XSS) + mutation XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. Users should upgrade to Trix editor version 2.1.9 or 1.3.3, which uses DOMPurify to sanitize the pasted content.

Key dates

02Disclosure timeline

December 9, 2024 CVE published
December 10, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2020-3282 Cisco Unified Communications Products Cross-Site Scripting Vulnerability CVE-2021-36867 WordPress Psychological tests & quizzes plugin <= 0.21.19 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability CVE-2025-26551 WordPress Bootstrap collapse plugin <= 1.0.4 - CSRF to Stored Cross-Site Scripting vulnerability CVE-2023-4913 Cross-site Scripting (XSS) - Reflected in cecilapp/cecil CVE-2025-10909 Mangati NovoSGA SVG File admin cross site scripting