[NPM:GHSA-QJQP-XR96-CJ99] Trix Editor Arbitrary Code Execution Vulnerability

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application.

Vulnerable Versions: Up to 2.1.0

Fixed Version: 2.1.1

Vector:

Bug 1: When copying content manipulated by a script, such as:

js document.addEventListener('copy', function(e){ e.clipboardData.setData('text/html', '<div><noscript><div class="123</noscript>456<img src=1 onerror=alert(1)//"></div></noscript></div>'); e.preventDefault(); });

and pasting into the Trix editor, the script within the content is executed.

Bug 2: Similar execution occurs with content structured as:

js document.write(`copy<div data-trix-attachment="{"contentType":"text/html","content":"<img src=1 onerror=alert(101)>HELLO123"}"></div>me`);

Impact:

An attacker could exploit these vulnerabilities to execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

Remediation:

Update Recommendation: Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.

CSP Enhancement: Additionally, enhancing the Content Security Policy (CSP) to disallow inline scripts can significantly mitigate the risk of such vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.

References:

Credit: These issues were reported by security researchers loknop and pinpie.

Package	Affected Version
pkg:npm/trix	< 2.1.1

Package	Fixed Version
pkg:npm/trix	= 2.1.1

ID: NPM:GHSA-QJQP-XR96-CJ99
Severity: moderate
URL: https://github.com/advisories/GHSA-qjqp-xr96-cj99
Published: 2024-05-07T16:49:24
(12 days ago)
Modified: 2024-05-07T18:48:11
(11 days ago)
Rights: NPM Security Team

Source	# ID	Name	URL
			https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99
			https://github.com/basecamp/trix/pull/1147
			https://github.com/basecamp/trix/pull/1149
			https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad
			https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554
			https://github.com/basecamp/trix/releases/tag/v2.1.1
			https://nvd.nist.gov/vuln/detail/CVE-2024-34341
			https://github.com/advisories/GHSA-qjqp-xr96-cj99

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:npm/trix		trix	< 2.1.1
Fixed	pkg:npm/trix		trix	= 2.1.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date