CVE-2024-43368

Name of the Vulnerable Software and Affected Versions Trix editor versions prior to 2.1.4

Description The issue is related to a bypass of a previous fix, allowing an attacker to execute arbitrary JavaScript code within the context of the user's session when pasting malicious code. This occurs because the Trix editor only checks the content type on the paste event's dataTransfer object and uses the attachment content to set the attachment element's innerHTML, even if the attachment itself doesn't have a text/html content type. An attacker could trick a user into copying and pasting malicious code, potentially leading to unauthorized actions or sensitive information disclosure.

Recommendations To resolve the issue, users should upgrade to Trix editor version 2.1.4 or later, which incorporates proper sanitization of input from copied content. Additionally, enhancing the Content Security Policy (CSP) to disallow inline scripts can significantly mitigate the risk of such vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem. If affected users can disallow browsers that don't support a Content Security Policy, this would be an effective workaround for this and all XSS vulnerabilities.