3 matches found
Trix allows Cross-site Scripting via `javascript:` url in a link
The Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field. Impact An attacker could trick the user to copy&paste a malicious javascript: URL as a link that would execute arbitrary JavaScript code within the context of the user's session,...
GHSA-6VX4-V2JW-QWQH Trix editor subject to XSS vulnerabilities on copy & paste
The Trix editor, in versions prior to 2.1.9 and 1.3.3, is vulnerable to XSS + mutation XSS attacks when pasting malicious code. Impact An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially...
GHSA-QM2Q-9F3Q-2VCV Trix has a cross-site Scripting vulnerability on copy & paste
The Trix editor, versions prior to 2.1.4, is vulnerable to XSS when pasting malicious code. This vulnerability is a bypass of the fix put in place for https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99. In https://github.com/basecamp/trix/pull/1149, we added sanitation for...