SB2024081483 - Cross-site scripting in Trix
Published: August 14, 2024 Updated: April 28, 2026
Security Bulletin ID
SB2024081483
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2024-43368)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code in the user's session.
The vulnerability exists due to improper neutralization of input during web page generation in the Trix attachment handling logic when processing pasted content. A remote attacker can trick the victim into copying and pasting malicious code to execute arbitrary JavaScript code in the user's session.
User interaction is required to copy and paste the crafted content.
Remediation
Install update from vendor's website.