Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/trix@2.1.16
Typenpm
Namespace
Nametrix
Version2.1.16
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.1.17
Latest_non_vulnerable_version2.1.18
Affected_by_vulnerabilities
0
url VCID-k8n9-p3pp-8fh7
vulnerability_id VCID-k8n9-p3pp-8fh7
summary 
Trix has a Stored XSS vulnerability through serialized attributes
### Impact
The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS attacks when a `data-trix-serialized-attributes` attribute bypasses the DOMPurify sanitizer.

An attacker could craft HTML containing a `data-trix-serialized-attributes` attribute with a malicious payload that, when the content is rendered, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

### Patches
Update Recommendation: Users should upgrade to Trix editor version 2.1.17 or later.

### References
The XSS vulnerability was responsibly reported by Hackerone researcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).
references
0
reference_url https://github.com/basecamp/trix
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix
1
reference_url https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc
2
reference_url https://github.com/basecamp/trix/pull/1282
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/pull/1282
3
reference_url https://github.com/basecamp/trix/releases/tag/v2.1.17
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/releases/tag/v2.1.17
4
reference_url https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3
scoring_elements
1
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-qmpg-8xg6-ph5q.yml
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-qmpg-8xg6-ph5q.yml
6
reference_url https://github.com/advisories/GHSA-qmpg-8xg6-ph5q
reference_id GHSA-qmpg-8xg6-ph5q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qmpg-8xg6-ph5q
fixed_packages
0
url pkg:npm/trix@2.1.17
purl pkg:npm/trix@2.1.17
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.17
aliases GHSA-qmpg-8xg6-ph5q
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k8n9-p3pp-8fh7
Fixing_vulnerabilities
0
url VCID-q1s4-ash2-5udy
vulnerability_id VCID-q1s4-ash2-5udy
summary 
Trix has a stored XSS vulnerability through its attachment attribute
The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads.

An attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.
references
0
reference_url https://github.com/basecamp/trix
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix
1
reference_url https://github.com/basecamp/trix/commit/73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/commit/73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010
2
reference_url https://github.com/basecamp/trix/releases/tag/v2.1.16
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/releases/tag/v2.1.16
3
reference_url https://github.com/advisories/GHSA-g9jg-w8vm-g96v
reference_id GHSA-g9jg-w8vm-g96v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g9jg-w8vm-g96v
4
reference_url https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v
reference_id GHSA-g9jg-w8vm-g96v
reference_type
scores
0
value 4.6
scoring_system cvssv3
scoring_elements
1
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml
reference_id GHSA-g9jg-w8vm-g96v.yml
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml
fixed_packages
0
url pkg:npm/trix@2.1.16
purl pkg:npm/trix@2.1.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-k8n9-p3pp-8fh7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.16
aliases GHSA-g9jg-w8vm-g96v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q1s4-ash2-5udy
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.16