Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController)

Description

The Trix editor, in versions prior to 2.1.18, is vulnerable to XSS when a crafted application/x-trix-document JSON payload is dropped into the editor in environments using the fallback Level0InputController (e.g., embedded WebViews lacking Input Events Level 2 support).

The StringPiece.fromJSON method trusted href attributes from the JSON payload without sanitization.

Recommendation

Update the trix package to the latest compatible version. Followings are version details:

• Affected version(s): < 2.1.18
• Patched version(s): 2.1.18

References

• GHSA-53p3-c7vp-4mcc
• CWE-79
• OWASP 2021-A3

Related Issues

• Trix has a Stored XSS vulnerability through serialized attributes - Vulnerability
• Trix has a stored XSS vulnerability through its attachment attribute - Vulnerability
• svelte is vulnerable to XSS with textarea bind:value - Vulnerability
• @tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Ori - Vulnerability

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

CSRF, XXE, and 12 Other Security Acronyms Explained

These 7 PHP mistakes leave your website open to the hackers

Tags:

npm

trix