{"url":"http://public2.vulnerablecode.io/api/packages/36455?format=json","purl":"pkg:npm/trix@2.1.16","type":"npm","namespace":"","name":"trix","version":"2.1.16","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.1.18","latest_non_vulnerable_version":"2.1.18","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359426?format=json","vulnerability_id":"VCID-2ugz-6znp-aqc2","summary":"Trix has a Stored XSS vulnerability through serialized attributes\n### Impact\n\nThe Trix editor, in versions prior to 2.1.17, is vulnerable to XSS\nattacks when a `data-trix-serialized-attributes` attribute bypasses\nthe DOMPurify sanitizer.\n\nAn attacker could craft HTML containing a `data-trix-serialized-attributes`\nattribute with a malicious payload that, when the content is rendered,\ncould execute arbitrary JavaScript code within the context of the user's\nsession, potentially leading to unauthorized actions being performed\nor sensitive information being disclosed.\n\n### Patches\n\nUpdate Recommendation: Users should upgrade to Trix editor\nversion 2.1.17 or later.\n\n### References\n\nThe XSS vulnerability was responsibly reported by Hackerone\nresearcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).","references":[{"reference_url":"https://github.com/basecamp/trix","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix"},{"reference_url":"https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc"},{"reference_url":"https://github.com/basecamp/trix/pull/1282","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/pull/1282"},{"reference_url":"https://github.com/basecamp/trix/releases/tag/v2.1.17","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/releases/tag/v2.1.17"},{"reference_url":"https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3","scoring_elements":""},{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-qmpg-8xg6-ph5q.yml","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-qmpg-8xg6-ph5q.yml"},{"reference_url":"https://github.com/advisories/GHSA-qmpg-8xg6-ph5q","reference_id":"GHSA-qmpg-8xg6-ph5q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qmpg-8xg6-ph5q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375257?format=json","purl":"pkg:npm/trix@2.1.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-pn87-vyk5-xqf8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.17"}],"aliases":["GHSA-qmpg-8xg6-ph5q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2ugz-6znp-aqc2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359425?format=json","vulnerability_id":"VCID-pn87-vyk5-xqf8","summary":"Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController)\n### Impact\n\nThe Trix editor, in versions prior to 2.1.18, is vulnerable to XSS\nwhen a crafted `application/x-trix-document` JSON payload is dropped\ninto the editor in environments using the fallback Level0InputController\n(e.g., embedded WebViews lacking Input Events Level 2 support).\n\nThe `StringPiece.fromJSON` method trusted `href` attributes from the\nJSON payload without sanitization. An attacker could craft a draggable\nelement containing a `javascript:` URI in the href attribute that,\nwhen dropped into a vulnerable editor, would bypass DOMPurify\nsanitization and inject executable JavaScript into the DOM.\n\nExploitation requires a specific environment (Level0InputController\nfallback) and social engineering (victim must drag and drop\nattacker-controlled content into the editor). Applications using\nserver-side HTML sanitization (such as Rails' built-in sanitizer)\nare additionally protected, as the payload is neutralized on save.\n\n### Patches\n\nUpdate Recommendation: Users should upgrade to Trix editor\nversion 2.1.18 or later.\n\n### References\n\nThe XSS vulnerability was responsibly reported by Hackerone\nresearcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).","references":[{"reference_url":"https://github.com/basecamp/trix","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix"},{"reference_url":"https://github.com/basecamp/trix/commit/9c0a993d9fc2ffe9d56b013b030bc238f9c0557c","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/commit/9c0a993d9fc2ffe9d56b013b030bc238f9c0557c"},{"reference_url":"https://github.com/basecamp/trix/releases/tag/v2.1.18","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/releases/tag/v2.1.18"},{"reference_url":"https://github.com/basecamp/trix/security/advisories/GHSA-53p3-c7vp-4mcc","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/security/advisories/GHSA-53p3-c7vp-4mcc"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-53p3-c7vp-4mcc.yml","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-53p3-c7vp-4mcc.yml"},{"reference_url":"https://github.com/advisories/GHSA-53p3-c7vp-4mcc","reference_id":"GHSA-53p3-c7vp-4mcc","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-53p3-c7vp-4mcc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374837?format=json","purl":"pkg:npm/trix@2.1.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.18"}],"aliases":["GHSA-53p3-c7vp-4mcc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pn87-vyk5-xqf8"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212466?format=json","vulnerability_id":"VCID-pyyj-9p9s-bfem","summary":"Trix has a stored XSS vulnerability through its attachment attribute","references":[{"reference_url":"https://github.com/basecamp/trix","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix"},{"reference_url":"https://github.com/basecamp/trix/commit/73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/commit/73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010"},{"reference_url":"https://github.com/basecamp/trix/releases/tag/v2.1.16","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/releases/tag/v2.1.16"},{"reference_url":"https://github.com/advisories/GHSA-g9jg-w8vm-g96v","reference_id":"GHSA-g9jg-w8vm-g96v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g9jg-w8vm-g96v"},{"reference_url":"https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v","reference_id":"GHSA-g9jg-w8vm-g96v","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3","scoring_elements":""},{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml","reference_id":"GHSA-g9jg-w8vm-g96v.yml","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36455?format=json","purl":"pkg:npm/trix@2.1.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2ugz-6znp-aqc2"},{"vulnerability":"VCID-pn87-vyk5-xqf8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.16"}],"aliases":["GHSA-g9jg-w8vm-g96v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pyyj-9p9s-bfem"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.16"}