#VU128361 Cross-site scripting in Trix - CVE-2024-43368
Published: August 14, 2024 / Updated: April 28, 2026
Vulnerability identifier: #VU128361
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2024-43368
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Trix
Trix
Software vendor:
Basecamp
Basecamp
Description
The vulnerability allows a remote attacker to execute arbitrary JavaScript code in the user's session.
The vulnerability exists due to improper neutralization of input during web page generation in the Trix attachment handling logic when processing pasted content. A remote attacker can trick the victim into copying and pasting malicious code to execute arbitrary JavaScript code in the user's session.
User interaction is required to copy and paste the crafted content.
Remediation
Install security update from vendor's website.