GHSA-mcrw-746g-9q8h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mcrw-746g-9q8h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-mcrw-746g-9q8h/GHSA-mcrw-746g-9q8h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mcrw-746g-9q8h
- Aliases
- Published
- 2025-05-08T14:48:23Z
- Modified
- 2025-05-08T22:00:43Z
- Severity
-
- 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P CVSS Calculator
- Summary
- Trix vulnerable to Cross-site Scripting on copy & paste
- Details
-
Impact
The Trix editor, in versions prior to 2.1.15, is vulnerable to XSS attacks when pasting malicious code.
An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.
Patches
Update Recommendation: Users should upgrade to Trix editor version 2.1.15 or later.
References
The XSS vulnerability was reported by HackerOne researcher hiumee.
- Database specific
{ "nvd_published_at": "2025-05-08T20:15:30Z", "cwe_ids": [ "CWE-79" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2025-05-08T14:48:23Z" }- References
Affected packages
npm / trix
Package
- Name
- trix
- View open source insights on deps.dev
- Purl
- pkg:npm/trix