Unknown · Trix Editor · CVE-2024-43368
**Name of the Vulnerable Software and Affected Versions**
Trix editor versions prior to 2.1.4
**Description**
The issue is related to a bypass of a previous fix, allowing an attacker to execute arbitrary JavaScript code within the context of the user's session when pasting malicious code. This occurs because the Trix editor only checks the content type on the paste event's `dataTransfer` object and uses the attachment content to set the attachment element's `innerHTML`, even if the attachment itself doesn't have a `text/html` content type. An attacker could trick a user into copying and pasting malicious code, potentially leading to unauthorized actions or sensitive information disclosure.
**Recommendations**
To resolve the issue, users should upgrade to Trix editor version 2.1.4 or later, which incorporates proper sanitization of input from copied content. Additionally, enhancing the Content Security Policy (CSP) to disallow inline scripts can significantly mitigate the risk of such vulnerabilities. Set CSP policies such as `script-src 'self'` to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using `script-src-elem`. If affected users can disallow browsers that don't support a Content Security Policy, this would be an effective workaround for this and all XSS vulnerabilities.