CVE-2024-53847

Name of the Vulnerable Software and Affected Versions: Trix editor versions prior to 2.1.9 and 1.3.3

Description: The issue concerns cross-site scripting (XSS) and mutation XSS attacks when pasting malicious code. An attacker could trick a user into copying and pasting malicious code, leading to the execution of arbitrary JavaScript code within the user's session. This could result in unauthorized actions or the disclosure of sensitive information.

Recommendations: For versions prior to 2.1.9, upgrade to version 2.1.9 or later, which uses DOMPurify to sanitize pasted content. For versions prior to 1.3.3, upgrade to version 1.3.3 or later. As a mitigation measure, consider disallowing browsers that do not support a Content Security Policy and set policies such as script-src 'self' to ensure only scripts from the same origin are executed, and prohibit inline scripts using script-src-elem.