114 matches found
Cross-site Scripting (XSS)
Overview org.webjars.npm:trix is a Rich Text Editor. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the StringPiece.fromJSON function. An attacker can execute arbitrary JavaScript in the context of the victim's browser by tricking a user into dragging and droppin...
Cross-site Scripting (XSS)
Overview trix is a Rich Text Editor. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the StringPiece.fromJSON function. An attacker can execute arbitrary JavaScript in the context of the victim's browser by tricking a user into dragging and dropping a crafted...
@9troisquarts/ant-form (>=2.3.0 <=4.0.5), @beliantech/bt-components (>=0.8.0 <=0.33.11) +55 more potentially affected by unknown CVE via trix (>=0.10.2 <=2.1.15)
trix NPM version =0.10.2, =2.3.0, =0.8.0, =0.1.1, =4.0.0-alpha.1, =4.0.0-alpha.1, =4.0.0-alpha.1, =4.0.0-alpha.5, =4.0.0-alpha.1, =0.1.18, =0.1.85, =0.2.0, =0.0.1, =0.1.0, =0.1.1, =1.32.0, =3.15.1 and more Source cves: unknown CVE Source advisory: OSV:GHSA-53P3-C7VP-4MCC...
@burger-editor/blocks (>=4.0.0-alpha.1 <=4.0.0-alpha.7), @burger-editor/client (>=4.0.0-alpha.1 <=4.0.0-alpha.7) +4 more potentially affected by unknown CVE via trix (>=2.0.10 <=2.1.15)
trix NPM version =2.0.10, =4.0.0-alpha.1, =4.0.0-alpha.1, =4.0.0-alpha.1, =4.0.0-alpha.5, =4.0.0-alpha.1, =1.0.1, =1.0.3 Source cves: unknown CVE Source advisory: SNYK:JS-TRIX-15813061...
GHSA-53P3-C7VP-4MCC Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController)
Impact The Trix editor, in versions prior to 2.1.18, is vulnerable to XSS when a crafted application/x-trix-document JSON payload is dropped into the editor in environments using the fallback Level0InputController e.g., embedded WebViews lacking Input Events Level 2 support. The...
Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController)
Impact The Trix editor, in versions prior to 2.1.18, is vulnerable to XSS when a crafted application/x-trix-document JSON payload is dropped into the editor in environments using the fallback Level0InputController e.g., embedded WebViews lacking Input Events Level 2 support. The...
Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController)
The Trix editor, in versions prior to 2.1.18, is vulnerable to XSS when a crafted application/x-trix-document JSON payload is dropped into the editor in environments using the fallback Level0InputController e.g., embedded WebViews lacking Input Events Level 2 support. The StringPiece.fromJSON...
Cross-site Scripting (XSS)
Overview trix is a Rich Text Editor. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the data-trix-serialized-attributes attribute bypassing the DOMPurify sanitizer. An attacker can execute arbitrary JavaScript code within the user's session by crafting HTML...
Cross-site Scripting (XSS)
Overview org.webjars.npm:trix is a Rich Text Editor. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the data-trix-serialized-attributes attribute bypassing the DOMPurify sanitizer. An attacker can execute arbitrary JavaScript code within the user's session by...
@burger-editor/blocks (>=4.0.0-alpha.1 <=4.0.0-alpha.7), @burger-editor/client (>=4.0.0-alpha.1 <=4.0.0-alpha.7) +4 more potentially affected by unknown CVE via trix (>=2.0.10 <=2.1.15)
trix NPM version =2.0.10, =4.0.0-alpha.1, =4.0.0-alpha.1, =4.0.0-alpha.1, =4.0.0-alpha.5, =4.0.0-alpha.1, =1.0.1, =1.0.3 Source cves: unknown CVE Source advisory: SNYK:JS-TRIX-15481278...
@9troisquarts/ant-form (>=2.3.0 <=4.0.5), @beliantech/bt-components (>=0.8.0 <=0.33.11) +55 more potentially affected by unknown CVE via trix (>=0.10.2 <=2.1.15)
trix NPM version =0.10.2, =2.3.0, =0.8.0, =0.1.1, =4.0.0-alpha.1, =4.0.0-alpha.1, =4.0.0-alpha.1, =4.0.0-alpha.5, =4.0.0-alpha.1, =0.1.18, =0.1.85, =0.2.0, =0.0.1, =0.1.0, =0.1.1, =1.32.0, =3.15.1 and more Source cves: unknown CVE Source advisory: OSV:GHSA-QMPG-8XG6-PH5Q...
GHSA-QMPG-8XG6-PH5Q Trix has a Stored XSS vulnerability through serialized attributes
Impact The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS attacks when a data-trix-serialized-attributes attribute bypasses the DOMPurify sanitizer. An attacker could craft HTML containing a data-trix-serialized-attributes attribute with a malicious payload that, when the content ...
Trix has a Stored XSS vulnerability through serialized attributes
Impact The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS attacks when a data-trix-serialized-attributes attribute bypasses the DOMPurify sanitizer. An attacker could craft HTML containing a data-trix-serialized-attributes attribute with a malicious payload that, when the content ...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the data-trix-serialized-attributes attribute bypassing the DOMPurify sanitizer. An attacker can execute arbitrary JavaScript code within the user's session by crafting HTML containing a malicious payload in...
Trix has a Stored XSS vulnerability through serialized attributes
The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS attacks when a data-trix-serialized-attributes attribute bypasses the DOMPurify sanitizer. An attacker could craft HTML containing a data-trix-serialized-attributes attribute with a malicious payload that, when the content is...
GHSA-G9JG-W8VM-G96V Trix has a stored XSS vulnerability through its attachment attribute
Impact The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads. An attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of th...
Cross-site Scripting (XSS)
Overview org.webjars.npm:trix is a Rich Text Editor. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to applying DOMPurify.isValidAttribute to data-trix-attachments before rendering them as anchor tags. An attacker can execute arbitrary JavaScript code within the...
@9troisquarts/ant-form (>=2.3.0 <=4.0.5), @beliantech/bt-components (>=0.8.0 <=0.33.11) +55 more potentially affected by unknown CVE via trix (>=0.10.2 <=2.1.15)
trix NPM version =0.10.2, =2.3.0, =0.8.0, =0.1.1, =4.0.0-alpha.1, =4.0.0-alpha.1, =4.0.0-alpha.1, =4.0.0-alpha.5, =4.0.0-alpha.1, =0.1.18, =0.1.85, =0.2.0, =0.0.1, =0.1.0, =0.1.1, =1.32.0, =3.15.1 and more Source cves: unknown CVE Source advisory: OSV:GHSA-G9JG-W8VM-G96V...
@burger-editor/blocks (>=4.0.0-alpha.1 <=4.0.0-alpha.7), @burger-editor/client (>=4.0.0-alpha.1 <=4.0.0-alpha.7) +4 more potentially affected by unknown CVE via trix (>=2.0.10 <=2.1.15)
trix NPM version =2.0.10, =4.0.0-alpha.1, =4.0.0-alpha.1, =4.0.0-alpha.1, =4.0.0-alpha.5, =4.0.0-alpha.1, =1.0.1, =1.0.3 Source cves: unknown CVE Source advisory: SNYK:JS-TRIX-14825036...
EUVD-2025-206094
Trix has a stored XSS vulnerability through its attachment attribute...