{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-34341", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-05-02T06:36:32.436Z", "datePublished": "2024-05-07T15:13:03.137Z", "dateUpdated": "2024-08-02T02:51:09.811Z"}, "containers": {"cna": {"title": "The Trix Editor Contains an Arbitrary Code Execution Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99"}, {"name": "https://github.com/basecamp/trix/pull/1147", "tags": ["x_refsource_MISC"], "url": "https://github.com/basecamp/trix/pull/1147"}, {"name": "https://github.com/basecamp/trix/pull/1149", "tags": ["x_refsource_MISC"], "url": "https://github.com/basecamp/trix/pull/1149"}, {"name": "https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad", "tags": ["x_refsource_MISC"], "url": "https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad"}, {"name": "https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554", "tags": ["x_refsource_MISC"], "url": "https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554"}, {"name": "https://github.com/basecamp/trix/releases/tag/v2.1.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/basecamp/trix/releases/tag/v2.1.1"}], "affected": [{"vendor": "basecamp", "product": "trix", "versions": [{"version": "< 2.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-07T15:13:03.137Z"}, "descriptions": [{"lang": "en", "value": "Trix is a rich text editor. The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content."}], "source": {"advisory": "GHSA-qjqp-xr96-cj99", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34341", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-07T18:19:32.684649Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:basecamp:trix:*:*:*:*:*:*:*:*"], "vendor": "basecamp", "product": "trix", "versions": [{"status": "affected", "version": "0", "lessThan": "2.1.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:41:09.585Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:51:09.811Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99"}, {"name": "https://github.com/basecamp/trix/pull/1147", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/basecamp/trix/pull/1147"}, {"name": "https://github.com/basecamp/trix/pull/1149", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/basecamp/trix/pull/1149"}, {"name": "https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad"}, {"name": "https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554"}, {"name": "https://github.com/basecamp/trix/releases/tag/v2.1.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/basecamp/trix/releases/tag/v2.1.1"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99", "name": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/basecamp/trix/pull/1147", "name": "https://github.com/basecamp/trix/pull/1147", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/basecamp/trix/pull/1149", "name": "https://github.com/basecamp/trix/pull/1149", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad", "name": "https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554", "name": "https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/basecamp/trix/releases/tag/v2.1.1", "name": "https://github.com/basecamp/trix/releases/tag/v2.1.1", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T02:51:09.811Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-34341", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-07T18:19:32.684649Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:basecamp:trix:*:*:*:*:*:*:*:*"], "vendor": "basecamp", "product": "trix", "versions": [{"status": "affected", "version": "0", "lessThan": "2.1.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-07T18:21:08.980Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "The Trix Editor Contains an Arbitrary Code Execution Vulnerability", "source": {"advisory": "GHSA-qjqp-xr96-cj99", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "basecamp", "product": "trix", "versions": [{"status": "affected", "version": "< 2.1.1"}]}], "references": [{"url": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99", "name": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/basecamp/trix/pull/1147", "name": "https://github.com/basecamp/trix/pull/1147", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/basecamp/trix/pull/1149", "name": "https://github.com/basecamp/trix/pull/1149", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad", "name": "https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554", "name": "https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/basecamp/trix/releases/tag/v2.1.1", "name": "https://github.com/basecamp/trix/releases/tag/v2.1.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Trix is a rich text editor. The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-07T15:13:03.137Z"}}}, "cveMetadata": {"cveId": "CVE-2024-34341", "state": "PUBLISHED", "dateUpdated": "2024-08-02T02:51:09.811Z", "dateReserved": "2024-05-02T06:36:32.436Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-07T15:13:03.137Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Trix is a rich text editor. The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content."}, {"lang": "es", "value": "Trix es un editor de texto enriquecido. El editor Trix, versiones anteriores a la 2.1.1, es vulnerable a la ejecuci\u00f3n de c\u00f3digo arbitrario al copiar y pegar contenido de la web u otros documentos con marcado en el editor. La vulnerabilidad surge de una sanitizaci\u00f3n inadecuada del contenido pegado, lo que permite a un atacante incrustar scripts maliciosos que se ejecutan dentro del contexto de la aplicaci\u00f3n. Los usuarios deben actualizar a la versi\u00f3n 2.1.1 o posterior del editor Trix, que incorpora una sanitizaci\u00f3n adecuada de la entrada del contenido copiado."}], "id": "CVE-2024-34341", "lastModified": "2024-11-21T09:18:27.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-07T16:15:08.217", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad"}, {"source": "security-advisories@github.com", "url": "https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554"}, {"source": "security-advisories@github.com", "url": "https://github.com/basecamp/trix/pull/1147"}, {"source": "security-advisories@github.com", "url": "https://github.com/basecamp/trix/pull/1149"}, {"source": "security-advisories@github.com", "url": "https://github.com/basecamp/trix/releases/tag/v2.1.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/basecamp/trix/pull/1147"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/basecamp/trix/pull/1149"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/basecamp/trix/releases/tag/v2.1.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-07-12T22:32:02.026361+00:00", "updated": "2025-07-12T22:32:02.026414+00:00", "vendors": ["basecamp", "basecamp$PRODUCT$trix"]}