4.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-g9jg-w8vm-g96v

GHSA-g9jg-w8vm-g96v: Trix has a stored XSS vulnerability through its attachment attribute

Impact

The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads.

An attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

Patches

Update Recommendation: Users should upgrade to Trix editor version 2.1.16 or later.

Resources

The XSS vulnerability was reported by HackerOne researcher michaelcheers.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-g9jg-w8vm-g96v

GHSA-g9jg-w8vm-g96v:

4.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
trix	npm	< 2.1.16	2.1.16
action_text-trix	rubygems	< 2.1.16	2.1.16

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a stored Cross-Site Scripting (XSS) issue in the Trix editor, specifically within the handling of attachment attributes. The analysis of the provided patch commit 73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010 reveals that the core of the vulnerability lies in the AttachmentView.getHref function. Before the patch, this function would retrieve the href attribute from an attachment and return it without validation. This allowed for malicious schemes like javascript: to be embedded in the attachment's data. The patch introduces a security control by using DOMPurify.isValidAttribute to sanitize the href attribute before it is returned, thus preventing the execution of arbitrary JavaScript. The test file src/test/unit/html_parser_test.js also confirms this by adding test cases that check for javascript: and data:text/html protocols in attachment hrefs. Therefore, the AttachmentView.getHref function is the primary vulnerable function that would appear in a runtime profile during the exploitation of this vulnerability.

Vulnerable functions

AttachmentView.getHref

src/trix/views/attachment_view.js

The `getHref` function in the `AttachmentView` class directly returned the `href` value from a Trix attachment without any sanitization. An attacker could craft a malicious `javascript:` URL and store it in the attachment's `href` attribute. When the Trix editor rendered this attachment, the `getHref` function would be called, and the malicious URL would be used in an anchor tag's `href`, leading to a stored Cross-Site Scripting (XSS) vulnerability when a user clicks on the attachment.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.6

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-g9jg-w8vm-g96v: Trix has a stored XSS vulnerability through its attachment attribute

Impact

Patches

Resources

GHSA-g9jg-w8vm-g96v:

4.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

4.6

4.6

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-g9jg-w8vm-g96v: Trix has a stored XSS vulnerability through its attachment attribute

Impact

Patches

Resources

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI