{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-46812", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-30T19:41:58.133Z", "datePublished": "2025-05-08T19:27:22.573Z", "dateUpdated": "2025-05-08T20:00:42.604Z"}, "containers": {"cna": {"title": "Trix vulnerable to Cross-site Scripting on copy & paste", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 2, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h"}, {"name": "https://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191", "tags": ["x_refsource_MISC"], "url": "https://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191"}], "affected": [{"vendor": "basecamp", "product": "trix", "versions": [{"version": "< 2.1.15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-08T19:27:22.573Z"}, "descriptions": [{"lang": "en", "value": "Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.15 are vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. This issue has been patched in version 2.1.15."}], "source": {"advisory": "GHSA-mcrw-746g-9q8h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-08T19:58:29.593312Z", "id": "CVE-2025-46812", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T20:00:42.604Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-46812", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-08T19:58:29.593312Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-08T20:00:38.265Z"}}], "cna": {"title": "Trix vulnerable to Cross-site Scripting on copy & paste", "source": {"advisory": "GHSA-mcrw-746g-9q8h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "basecamp", "product": "trix", "versions": [{"status": "affected", "version": "< 2.1.15"}]}], "references": [{"url": "https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h", "name": "https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191", "name": "https://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.15 are vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. This issue has been patched in version 2.1.15."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-08T19:27:22.573Z"}}}, "cveMetadata": {"cveId": "CVE-2025-46812", "state": "PUBLISHED", "dateUpdated": "2025-05-08T20:00:42.604Z", "dateReserved": "2025-04-30T19:41:58.133Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-08T19:27:22.573Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.15 are vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. This issue has been patched in version 2.1.15."}, {"lang": "es", "value": "Trix es un editor de texto enriquecido con una interfaz intuitiva para la escritura diaria. Las versiones anteriores a la 2.1.15 son vulnerables a ataques XSS al pegar c\u00f3digo malicioso. Un atacante podr\u00eda enga\u00f1ar a un usuario para que copie y pegue c\u00f3digo malicioso que ejecutar\u00eda c\u00f3digo JavaScript arbitrario en su sesi\u00f3n, lo que podr\u00eda provocar acciones no autorizadas o la divulgaci\u00f3n de informaci\u00f3n confidencial. Este problema se ha corregido en la versi\u00f3n 2.1.15."}], "id": "CVE-2025-46812", "lastModified": "2025-05-12T17:32:52.810", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.0, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-05-08T20:15:30.950", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191"}, {"source": "security-advisories@github.com", "url": "https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"created": "2025-06-23T19:31:58.585711+00:00", "updated": "2025-06-23T19:31:58.585857+00:00", "vendors": ["basecamp", "basecamp$PRODUCT$trix"]}