Main Vulnerability Database SB2024120964

SB2024120964 - Cross-site scripting in Trix

Published: December 9, 2024 Updated: April 28, 2026

Security Bulletin ID SB2024120964

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2024-53847)

The vulnerability allows a remote attacker to execute arbitrary JavaScript code in the context of the user's session.

The vulnerability exists due to cross-site scripting in the copy and paste handling in Trix when processing pasted malicious content. A remote attacker can trick a user into copying and pasting malicious code to execute arbitrary JavaScript code in the context of the user's session.

User interaction is required to copy and paste the crafted content.

Remediation

Install update from vendor's website.

References

https://github.com/basecamp/trix/security/advisories/GHSA-6vx4-v2jw-qwqh