SB2024081483 - Cross-site scripting in Trix



SB2024081483 - Cross-site scripting in Trix

Published: August 14, 2024 Updated: April 28, 2026

Security Bulletin ID SB2024081483
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Cross-site scripting (CVE-ID: CVE-2024-43368)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary JavaScript code in the user's session.

The vulnerability exists due to improper neutralization of input during web page generation in the Trix attachment handling logic when processing pasted content. A remote attacker can trick the victim into copying and pasting malicious code to execute arbitrary JavaScript code in the user's session.

User interaction is required to copy and paste the crafted content.


Remediation

Install update from vendor's website.