Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/trix@2.1.17
Typenpm
Namespace
Nametrix
Version2.1.17
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version2.1.18
Latest_non_vulnerable_version2.1.18
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-k8n9-p3pp-8fh7
vulnerability_id VCID-k8n9-p3pp-8fh7
summary 
Trix has a Stored XSS vulnerability through serialized attributes
### Impact
The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS attacks when a `data-trix-serialized-attributes` attribute bypasses the DOMPurify sanitizer.

An attacker could craft HTML containing a `data-trix-serialized-attributes` attribute with a malicious payload that, when the content is rendered, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

### Patches
Update Recommendation: Users should upgrade to Trix editor version 2.1.17 or later.

### References
The XSS vulnerability was responsibly reported by Hackerone researcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).
references
0
reference_url https://github.com/basecamp/trix
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix
1
reference_url https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc
2
reference_url https://github.com/basecamp/trix/pull/1282
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/pull/1282
3
reference_url https://github.com/basecamp/trix/releases/tag/v2.1.17
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/releases/tag/v2.1.17
4
reference_url https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3
scoring_elements
1
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-qmpg-8xg6-ph5q.yml
reference_id
reference_type
scores
0
value 4.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-qmpg-8xg6-ph5q.yml
6
reference_url https://github.com/advisories/GHSA-qmpg-8xg6-ph5q
reference_id GHSA-qmpg-8xg6-ph5q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qmpg-8xg6-ph5q
fixed_packages
0
url pkg:npm/trix@2.1.17
purl pkg:npm/trix@2.1.17
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.17
aliases GHSA-qmpg-8xg6-ph5q
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k8n9-p3pp-8fh7
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.17