CVE-2024-43368

CVSS 3.1 Score 6.5 of 10 (medium)

Details

Published Aug 14, 2024
Updated: Aug 15, 2024
CWE ID 79

Summary

CVE-2024-43368 is a new XSS vulnerability affecting Trix editor versions prior to 2.1.4. This issue arises from the editor's failure to properly sanitize pasted content, allowing an attacker to execute arbitrary JavaScript code. The vulnerability bypasses the previous fix implemented for GHSA-qjqp-xr96-cj99. Trix checks only the `dataTransfer` object's content type during the paste event, allowing malicious content to bypass the attachment's actual content type. Consequently, malicious code is set as the innerHTML of the attachment element, posing a significant threat for unauthorized actions and sensitive information disclosure. This vulnerability was addressed and fixed in Trix version 2.1.4.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share