Cross-site scripting in Trix - CVE-2024-53847
Published: December 9, 2024 / Updated: April 28, 2026
Vulnerability identifier: #VU128360
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2024-53847
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Basecamp
Affected software:
Trix
Trix
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary JavaScript code in the context of the user's session.
The vulnerability exists due to cross-site scripting in the copy and paste handling in Trix when processing pasted malicious content. A remote attacker can trick a user into copying and pasting malicious code to execute arbitrary JavaScript code in the context of the user's session.
User interaction is required to copy and paste the crafted content.
How to mitigate CVE-2024-53847
Install security update from vendor's website.