SB20260428197 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Trix

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary JavaScript code in the user's session.

The vulnerability exists due to cross-site scripting in the data-trix-attachment attribute when rendering attachment payloads as HTML and the content is clicked. A remote user can inject malicious code into a crafted attachment attribute to execute arbitrary JavaScript code in the user's session.

User interaction is required to click the rendered content.

Remediation

Install update from vendor's website.

References

• https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v
• https://github.com/advisories/GHSA-g9jg-w8vm-g96v