Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-63mn-56k4-jbh4
Summary
Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController)
### Impact

The Trix editor, in versions prior to 2.1.18, is vulnerable to XSS when a crafted `application/x-trix-document` JSON payload is dropped into the editor in environments using the fallback Level0InputController (e.g., embedded WebViews lacking Input Events Level 2 support).

The `StringPiece.fromJSON` method trusted `href` attributes from the JSON payload without sanitization. An attacker could craft a draggable element containing a `javascript:` URI in the href attribute that, when dropped into a vulnerable editor, would bypass DOMPurify sanitization and inject executable JavaScript into the DOM.

Exploitation requires a specific environment (Level0InputController fallback) and social engineering (victim must drag and drop attacker-controlled content into the editor). Applications using server-side HTML sanitization (such as Rails' built-in sanitizer) are additionally protected, as the payload is neutralized on save.

### Patches

Update Recommendation: Users should upgrade to Trix editor version 2.1.18 or later.


### References

The XSS vulnerability was responsibly reported by Hackerone researcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).
Aliases
0
alias GHSA-53p3-c7vp-4mcc
Fixed_packages
0
url pkg:gem/action_text-trix@2.1.18
purl pkg:gem/action_text-trix@2.1.18
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/action_text-trix@2.1.18
1
url pkg:npm/trix@2.1.18
purl pkg:npm/trix@2.1.18
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.18
Affected_packages
0
url pkg:gem/action_text-trix@0.0.1
purl pkg:gem/action_text-trix@0.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63mn-56k4-jbh4
1
vulnerability VCID-k8n9-p3pp-8fh7
2
vulnerability VCID-q1s4-ash2-5udy
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/action_text-trix@0.0.1
1
url pkg:gem/action_text-trix@2.1.15
purl pkg:gem/action_text-trix@2.1.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63mn-56k4-jbh4
1
vulnerability VCID-k8n9-p3pp-8fh7
2
vulnerability VCID-q1s4-ash2-5udy
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/action_text-trix@2.1.15
2
url pkg:gem/action_text-trix@2.1.16
purl pkg:gem/action_text-trix@2.1.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63mn-56k4-jbh4
1
vulnerability VCID-k8n9-p3pp-8fh7
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/action_text-trix@2.1.16
3
url pkg:gem/action_text-trix@2.1.17
purl pkg:gem/action_text-trix@2.1.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63mn-56k4-jbh4
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/action_text-trix@2.1.17
References
0
reference_url https://github.com/basecamp/trix
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix
1
reference_url https://github.com/basecamp/trix/commit/9c0a993d9fc2ffe9d56b013b030bc238f9c0557c
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/commit/9c0a993d9fc2ffe9d56b013b030bc238f9c0557c
2
reference_url https://github.com/basecamp/trix/releases/tag/v2.1.18
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/releases/tag/v2.1.18
3
reference_url https://github.com/basecamp/trix/security/advisories/GHSA-53p3-c7vp-4mcc
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/basecamp/trix/security/advisories/GHSA-53p3-c7vp-4mcc
4
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-53p3-c7vp-4mcc.yml
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-53p3-c7vp-4mcc.yml
5
reference_url https://github.com/advisories/GHSA-53p3-c7vp-4mcc
reference_id GHSA-53p3-c7vp-4mcc
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-53p3-c7vp-4mcc
Weaknesses
0
cwe_id 79
name Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Exploits
Severity_range_score0.1 - 3
Exploitability0.5
Weighted_severity2.7
Risk_score1.4
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-63mn-56k4-jbh4