5.1

CVSS Score

4.0

Basic Information

CVE ID

CVE-2024-53847

GHSA ID

GHSA-6vx4-v2jw-qwqh

EPSS Score

0.37103%

CWE

CWE-79

Published

12/9/2024

Updated

12/9/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-53847

CVE-2024-53847: Trix editor subject to XSS vulnerabilities on copy & paste

The Trix editor, in versions prior to 2.1.9 and 1.3.3, is vulnerable to XSS + mutation XSS attacks when pasting malicious code.

Impact

An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

Patches

Update Recommendation: Users should upgrade to Trix editor version 2.1.9 or later, which uses DOMPurify to sanitize the pasted content.

If using Trix 1.x, upgrade to version 1.3.3 or later.

Mitigations

This is not really a workaround but something that should be considered in addition to upgrading to the patched version. If affected users can disallow browsers that don't support a Content Security Policy, then this would be an effective workaround for this and all XSS vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.

References

The XSS vulnerability was reported by HackerOne researcher hiumee. The mutation XSS vulnerability was reported by HackerOne researcher sudi.

(GitHub Advisory)

5.1

CVSS Score

4.0

Basic Information

CVE ID

CVE-2024-53847

GHSA ID

GHSA-6vx4-v2jw-qwqh

EPSS Score

0.37103%

CWE

CWE-79

Published

12/9/2024

Updated

12/9/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
trix	npm	>= 2.0.0, < 2.1.9	2.1.9
trix	npm	>= 1.0.0, < 1.3.3	1.3.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from inadequate HTML sanitization during paste operations. The commit diff shows the patched version introduced DOMPurify in HTMLSanitizer.sanitize(), indicating this was the vulnerable point. The pre-patch implementation only handled basic element checks and list nesting normalization, failing to properly sanitize dangerous HTML constructs in data-trix-attachment content. The added test cases demonstrate exploitation via MathML and embed elements, which would have been inadequately processed by the original sanitize method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Trix **itor, in v*rsions prior to *.*.* *n* *.*.*, is vuln*r**l* to XSS + mut*tion XSS *tt**ks w**n p*stin* m*li*ious *o**. ### Imp**t *n *tt**k*r *oul* tri*k * us*r to *opy *n* p*st* m*li*ious *o** t**t woul* *x**ut* *r*itr*ry J*v*S*ript *o**

Reasoning

T** vuln*r**ility st*ms *rom in***qu*t* *TML s*nitiz*tion *urin* p*st* op*r*tions. T** *ommit *i** s*ows t** p*t**** v*rsion intro*u*** `*OMPuri*y` in `*TMLS*nitiz*r.s*nitiz*()`, in*i**tin* t*is w*s t** vuln*r**l* point. T** pr*-p*t** impl*m*nt*tion

5.1

Basic Information

Concerned about an active attack path?

CVE-2024-53847: Trix editor subject to XSS vulnerabilities on copy & paste

Impact

Patches

Mitigations

References

5.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI