CVE-2024-34341

Name of the Vulnerable Software and Affected Versions Trix editor versions prior to 2.1.1 Trix editor versions prior to 2.1.4

Description The Trix editor is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. This vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. An attacker could exploit this vulnerability to execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

Recommendations For Trix editor versions prior to 2.1.1, users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content. For Trix editor versions prior to 2.1.4, users should upgrade to Trix editor version 2.1.4 or later, which incorporates proper sanitization of input from copied content. As a temporary workaround, consider enhancing the Content Security Policy (CSP) to disallow inline scripts by setting CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.