Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/737300?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/737300?format=api", "purl": "pkg:npm/trix@2.0.3", "type": "npm", "namespace": "", "name": "trix", "version": "2.0.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.1.18", "latest_non_vulnerable_version": "2.1.18", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55698?format=api", "vulnerability_id": "VCID-65h2-knnz-ubch", "summary": "Trix has a cross-site Scripting vulnerability on copy & paste\nThe Trix editor, versions prior to 2.1.4, is vulnerable to XSS when pasting malicious code. This vulnerability is a bypass of the fix put in place for https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99. In https://github.com/basecamp/trix/pull/1149, we added sanitation for Trix attachments with a `text/html` content type. However, Trix only checks the content type on the paste event's `dataTransfer` object. As long as the `dataTransfer` has a content type of `text/html`, Trix parses its contents and creates an `Attachment` with them, even if the attachment itself doesn't have a `text/html` content type. Trix then uses the attachment content to set the attachment element's `innerHTML`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-43368", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00392", "scoring_system": "epss", "scoring_elements": "0.60542", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00392", "scoring_system": "epss", "scoring_elements": "0.60533", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00392", "scoring_system": "epss", "scoring_elements": "0.60518", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00392", "scoring_system": "epss", "scoring_elements": "0.60534", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00392", "scoring_system": "epss", "scoring_elements": "0.60546", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-43368" }, { "reference_url": "https://developer.mozilla.org/en-US/docs/Web/API/DataTransfer", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://developer.mozilla.org/en-US/docs/Web/API/DataTransfer" }, { "reference_url": "https://github.com/basecamp/trix", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix" }, { "reference_url": "https://github.com/basecamp/trix/commit/7656f578af0d03141a72a9d27cb3692e6947dae6", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-15T14:58:19Z/" } ], "url": "https://github.com/basecamp/trix/commit/7656f578af0d03141a72a9d27cb3692e6947dae6" }, { "reference_url": "https://github.com/basecamp/trix/pull/1149", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-15T14:58:19Z/" } ], "url": "https://github.com/basecamp/trix/pull/1149" }, { "reference_url": "https://github.com/basecamp/trix/pull/1156", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-15T14:58:19Z/" } ], "url": "https://github.com/basecamp/trix/pull/1156" }, { "reference_url": "https://github.com/basecamp/trix/releases/tag/v2.1.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-15T14:58:19Z/" } ], "url": "https://github.com/basecamp/trix/releases/tag/v2.1.4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43368", "reference_id": "CVE-2024-43368", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43368" }, { "reference_url": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99", "reference_id": "GHSA-qjqp-xr96-cj99", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-15T14:58:19Z/" } ], "url": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99" }, { "reference_url": "https://github.com/advisories/GHSA-qm2q-9f3q-2vcv", "reference_id": "GHSA-qm2q-9f3q-2vcv", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qm2q-9f3q-2vcv" }, { "reference_url": "https://github.com/basecamp/trix/security/advisories/GHSA-qm2q-9f3q-2vcv", "reference_id": "GHSA-qm2q-9f3q-2vcv", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-15T14:58:19Z/" } ], "url": "https://github.com/basecamp/trix/security/advisories/GHSA-qm2q-9f3q-2vcv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/82414?format=api", "purl": "pkg:npm/trix@2.1.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8buu-wy2s-s7e3" }, { "vulnerability": "VCID-8zkf-ben4-abhq" }, { "vulnerability": "VCID-b8yj-t5d4-ebgp" }, { "vulnerability": "VCID-enpr-zw36-c3bs" }, { "vulnerability": "VCID-jybu-5yrx-4ydm" }, { "vulnerability": "VCID-n75e-6zy4-yqaq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.4" } ], "aliases": [ "CVE-2024-43368", "GHSA-qm2q-9f3q-2vcv" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-65h2-knnz-ubch" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57272?format=api", "vulnerability_id": "VCID-8buu-wy2s-s7e3", "summary": "Trix vulnerable to Cross-site Scripting on copy & paste\nThe Trix editor, in versions prior to 2.1.15, is vulnerable to XSS attacks when pasting malicious code.\n\nAn attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46812", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0035", "scoring_system": "epss", "scoring_elements": "0.57747", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0035", "scoring_system": "epss", "scoring_elements": "0.57765", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.0035", "scoring_system": "epss", "scoring_elements": "0.57769", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0035", "scoring_system": "epss", "scoring_elements": "0.57761", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0035", "scoring_system": "epss", "scoring_elements": "0.5776", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-46812" }, { "reference_url": "https://github.com/basecamp/trix", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix" }, { "reference_url": "https://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191", "reference_id": "", "reference_type": "", "scores": [ { "value": "2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:58:29Z/" } ], "url": "https://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46812", "reference_id": "CVE-2025-46812", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46812" }, { "reference_url": "https://github.com/advisories/GHSA-mcrw-746g-9q8h", "reference_id": "GHSA-mcrw-746g-9q8h", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mcrw-746g-9q8h" }, { "reference_url": "https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h", "reference_id": "GHSA-mcrw-746g-9q8h", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T19:58:29Z/" } ], "url": "https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/85085?format=api", "purl": "pkg:npm/trix@2.1.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8zkf-ben4-abhq" }, { "vulnerability": "VCID-enpr-zw36-c3bs" }, { "vulnerability": "VCID-jybu-5yrx-4ydm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.15" } ], "aliases": [ "CVE-2025-46812", "GHSA-mcrw-746g-9q8h" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8buu-wy2s-s7e3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50919?format=api", "vulnerability_id": "VCID-8zkf-ben4-abhq", "summary": "Trix has a Stored XSS vulnerability through serialized attributes\nThe Trix editor, in versions prior to 2.1.17, is vulnerable to XSS attacks when a `data-trix-serialized-attributes` attribute bypasses the DOMPurify sanitizer.\n\nAn attacker could craft HTML containing a `data-trix-serialized-attributes` attribute with a malicious payload that, when the content is rendered, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.", "references": [ { "reference_url": "https://github.com/basecamp/trix", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix" }, { "reference_url": "https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc" }, { "reference_url": "https://github.com/basecamp/trix/pull/1282", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix/pull/1282" }, { "reference_url": "https://github.com/basecamp/trix/releases/tag/v2.1.17", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix/releases/tag/v2.1.17" }, { "reference_url": "https://github.com/advisories/GHSA-qmpg-8xg6-ph5q", "reference_id": "GHSA-qmpg-8xg6-ph5q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qmpg-8xg6-ph5q" }, { "reference_url": "https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q", "reference_id": "GHSA-qmpg-8xg6-ph5q", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-qmpg-8xg6-ph5q.yml", "reference_id": "GHSA-qmpg-8xg6-ph5q.yml", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-qmpg-8xg6-ph5q.yml" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74877?format=api", "purl": "pkg:npm/trix@2.1.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-enpr-zw36-c3bs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.17" } ], "aliases": [ "GHSA-qmpg-8xg6-ph5q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8zkf-ben4-abhq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56431?format=api", "vulnerability_id": "VCID-b8yj-t5d4-ebgp", "summary": "Trix allows Cross-site Scripting via `javascript:` url in a link\nThe Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-21610", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42037", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.41982", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42027", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.41974", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.002", "scoring_system": "epss", "scoring_elements": "0.42009", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-21610" }, { "reference_url": "https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T16:55:29Z/" } ], "url": "https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8" }, { "reference_url": "https://github.com/basecamp/trix", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix" }, { "reference_url": "https://github.com/basecamp/trix/commit/180c8d337f18e1569cea6ef29b4d03ffff5b5faa", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T16:55:29Z/" } ], "url": "https://github.com/basecamp/trix/commit/180c8d337f18e1569cea6ef29b4d03ffff5b5faa" }, { "reference_url": "https://github.com/basecamp/trix/commit/c4f0d6f80654603932af6685694f694e96593b93", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T16:55:29Z/" } ], "url": "https://github.com/basecamp/trix/commit/c4f0d6f80654603932af6685694f694e96593b93" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21610", "reference_id": "CVE-2025-21610", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21610" }, { "reference_url": "https://github.com/advisories/GHSA-j386-3444-qgwg", "reference_id": "GHSA-j386-3444-qgwg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j386-3444-qgwg" }, { "reference_url": "https://github.com/basecamp/trix/security/advisories/GHSA-j386-3444-qgwg", "reference_id": "GHSA-j386-3444-qgwg", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-03T16:55:29Z/" } ], "url": "https://github.com/basecamp/trix/security/advisories/GHSA-j386-3444-qgwg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83686?format=api", "purl": "pkg:npm/trix@2.1.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8buu-wy2s-s7e3" }, { "vulnerability": "VCID-8zkf-ben4-abhq" }, { "vulnerability": "VCID-enpr-zw36-c3bs" }, { "vulnerability": "VCID-jybu-5yrx-4ydm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.12" } ], "aliases": [ "CVE-2025-21610", "GHSA-j386-3444-qgwg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b8yj-t5d4-ebgp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51372?format=api", "vulnerability_id": "VCID-enpr-zw36-c3bs", "summary": "Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController)\n### Impact\n\nThe Trix editor, in versions prior to 2.1.18, is vulnerable to XSS\nwhen a crafted `application/x-trix-document` JSON payload is dropped\ninto the editor in environments using the fallback Level0InputController\n(e.g., embedded WebViews lacking Input Events Level 2 support).\n\nThe `StringPiece.fromJSON` method trusted `href` attributes from the\nJSON payload without sanitization. An attacker could craft a draggable\nelement containing a `javascript:` URI in the href attribute that,\nwhen dropped into a vulnerable editor, would bypass DOMPurify\nsanitization and inject executable JavaScript into the DOM.\n\nExploitation requires a specific environment (Level0InputController\nfallback) and social engineering (victim must drag and drop\nattacker-controlled content into the editor). Applications using\nserver-side HTML sanitization (such as Rails' built-in sanitizer)\nare additionally protected, as the payload is neutralized on save.\n\n### Patches\n\nUpdate Recommendation: Users should upgrade to Trix editor\nversion 2.1.18 or later.\n\n### References\n\nThe XSS vulnerability was responsibly reported by Hackerone\nresearcher [newbiefromcoma](https://hackerone.com/newbiefromcoma).", "references": [ { "reference_url": "https://github.com/basecamp/trix", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix" }, { "reference_url": "https://github.com/basecamp/trix/commit/9c0a993d9fc2ffe9d56b013b030bc238f9c0557c", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix/commit/9c0a993d9fc2ffe9d56b013b030bc238f9c0557c" }, { "reference_url": "https://github.com/basecamp/trix/releases/tag/v2.1.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix/releases/tag/v2.1.18" }, { "reference_url": "https://github.com/basecamp/trix/security/advisories/GHSA-53p3-c7vp-4mcc", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix/security/advisories/GHSA-53p3-c7vp-4mcc" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-53p3-c7vp-4mcc.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-53p3-c7vp-4mcc.yml" }, { "reference_url": "https://github.com/advisories/GHSA-53p3-c7vp-4mcc", "reference_id": "GHSA-53p3-c7vp-4mcc", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-53p3-c7vp-4mcc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/113140?format=api", "purl": "pkg:npm/trix@2.1.18", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.18" } ], "aliases": [ "GHSA-53p3-c7vp-4mcc" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-enpr-zw36-c3bs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49542?format=api", "vulnerability_id": "VCID-jybu-5yrx-4ydm", "summary": "Trix has a stored XSS vulnerability through its attachment attribute\nThe Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads.\n\nAn attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.", "references": [ { "reference_url": "https://github.com/basecamp/trix", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix" }, { "reference_url": "https://github.com/basecamp/trix/commit/73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix/commit/73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010" }, { "reference_url": "https://github.com/basecamp/trix/releases/tag/v2.1.16", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix/releases/tag/v2.1.16" }, { "reference_url": "https://github.com/advisories/GHSA-g9jg-w8vm-g96v", "reference_id": "GHSA-g9jg-w8vm-g96v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g9jg-w8vm-g96v" }, { "reference_url": "https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v", "reference_id": "GHSA-g9jg-w8vm-g96v", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml", "reference_id": "GHSA-g9jg-w8vm-g96v.yml", "reference_type": "", "scores": [ { "value": "4.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/action_text-trix/GHSA-g9jg-w8vm-g96v.yml" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73148?format=api", "purl": "pkg:npm/trix@2.1.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8zkf-ben4-abhq" }, { "vulnerability": "VCID-enpr-zw36-c3bs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.16" } ], "aliases": [ "GHSA-g9jg-w8vm-g96v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jybu-5yrx-4ydm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56323?format=api", "vulnerability_id": "VCID-n75e-6zy4-yqaq", "summary": "Trix editor subject to XSS vulnerabilities on copy & paste\nThe Trix editor, in versions prior to 2.1.9 and 1.3.3, is vulnerable to XSS + mutation XSS attacks when pasting malicious code.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53847", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44836", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44819", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44807", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44851", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00222", "scoring_system": "epss", "scoring_elements": "0.44858", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-53847" }, { "reference_url": "https://github.com/basecamp/trix", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix" }, { "reference_url": "https://github.com/basecamp/trix/commit/272c7e27e722608732a67108ad3fe7870e233ac8", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-10T16:15:17Z/" } ], "url": "https://github.com/basecamp/trix/commit/272c7e27e722608732a67108ad3fe7870e233ac8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53847", "reference_id": "CVE-2024-53847", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53847" }, { "reference_url": "https://github.com/advisories/GHSA-6vx4-v2jw-qwqh", "reference_id": "GHSA-6vx4-v2jw-qwqh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6vx4-v2jw-qwqh" }, { "reference_url": "https://github.com/basecamp/trix/security/advisories/GHSA-6vx4-v2jw-qwqh", "reference_id": "GHSA-6vx4-v2jw-qwqh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-10T16:15:17Z/" } ], "url": "https://github.com/basecamp/trix/security/advisories/GHSA-6vx4-v2jw-qwqh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83480?format=api", "purl": "pkg:npm/trix@2.1.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8buu-wy2s-s7e3" }, { "vulnerability": "VCID-8zkf-ben4-abhq" }, { "vulnerability": "VCID-b8yj-t5d4-ebgp" }, { "vulnerability": "VCID-enpr-zw36-c3bs" }, { "vulnerability": "VCID-jybu-5yrx-4ydm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.9" } ], "aliases": [ "CVE-2024-53847", "GHSA-6vx4-v2jw-qwqh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-n75e-6zy4-yqaq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51598?format=api", "vulnerability_id": "VCID-nchh-dnkh-tbev", "summary": "Arbitrary Code Execution Vulnerability in Trix Editor included in ActionText\nFrom version 7.0 onwards the ActionText gem includes a copy of the Trix rich text editor.\nPrior to versions 7.0.8.3 and 7.1.3.3, ActionText included a version of Trix that\nis vulnerable to arbitrary code execution when\ncopying and pasting content from the web or other documents with markup into the editor.\nThe vulnerability stems from improper sanitization of pasted content, allowing an attacker\nto embed malicious scripts which are executed within the context of the application.\n\n# Vulnerable Versions:\n * 7.1 series older than 7.1.3.3\n * 7.0 series older than 7.0.8.3\n\n# Fixed Versions:\n * 7.1.3.3\n * 7.0.8.3\n\n# Vector:\n\nBug 1: When copying content manipulated by a script, such as:\n```javascript\ndocument.addEventListener('copy', function(e){\n e.clipboardData.setData('text/html', '<div><noscript><div class=\"123</noscript>456<img src=1 onerror=alert(1)//\"></div></noscript></div>');\n e.preventDefault();\n});\n```\nand pasting into the Trix editor, the script within the content is executed.\n\nBug 2: Similar execution occurs with content structured as:\n\n```javascript\ndocument.write(`copy<div data-trix-attachment=\"{"contentType":"text/html","content":"<img src=1 onerror=alert(101)>HELLO123"}\"></div>me`);\n```\n\n# Impact:\n\nAn attacker could exploit these vulnerabilities to execute arbitrary JavaScript code\nwithin the context of the user's session, potentially leading to unauthorized actions\nbeing performed or sensitive information being disclosed.\n\n# Remediation:\n\nUpdate Recommendation: Users of ActionText 7.0 should upgrade to ActionText version 7.0.8.3 or later.\nUsers of ActionText 7.1 should upgrade to version 7.1.3.3 or later.\nThese updated versions incorporate proper sanitization of input from copied content.\n\nCSP Enhancement: Additionally, enhancing the Content Security Policy (CSP) to disallow inline scripts\ncan significantly mitigate the risk of such vulnerabilities.\nSet CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin\nare executed, and explicitly prohibit inline scripts using script-src-elem.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34341", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00551", "scoring_system": "epss", "scoring_elements": "0.68385", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00551", "scoring_system": "epss", "scoring_elements": "0.68386", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00551", "scoring_system": "epss", "scoring_elements": "0.6837", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00551", "scoring_system": "epss", "scoring_elements": "0.68393", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-34341" }, { "reference_url": "https://discuss.rubyonrails.org/t/xss-vulnerabilities-in-trix-editor/85803", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://discuss.rubyonrails.org/t/xss-vulnerabilities-in-trix-editor/85803" }, { "reference_url": "https://github.com/advisories/GHSA-qjqp-xr96-cj99", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qjqp-xr96-cj99" }, { "reference_url": "https://github.com/basecamp/trix", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/basecamp/trix" }, { "reference_url": "https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-07T18:19:32Z/" } ], "url": "https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad" }, { "reference_url": "https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-07T18:19:32Z/" } ], "url": "https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554" }, { "reference_url": "https://github.com/basecamp/trix/pull/1147", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-07T18:19:32Z/" } ], "url": "https://github.com/basecamp/trix/pull/1147" }, { "reference_url": "https://github.com/basecamp/trix/pull/1149", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-07T18:19:32Z/" } ], "url": "https://github.com/basecamp/trix/pull/1149" }, { "reference_url": "https://github.com/basecamp/trix/releases/tag/v2.1.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-07T18:19:32Z/" } ], "url": "https://github.com/basecamp/trix/releases/tag/v2.1.1" }, { "reference_url": "https://github.com/rails/rails/commit/07e6c88cc4defe6f6b8d28e79eb13a518e15b14c", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rails/rails/commit/07e6c88cc4defe6f6b8d28e79eb13a518e15b14c" }, { "reference_url": "https://github.com/rails/rails/commit/260cb392fc1ee91d0b749cff08d1c8d54b230bd3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rails/rails/commit/260cb392fc1ee91d0b749cff08d1c8d54b230bd3" }, { "reference_url": "https://github.com/rails/rails/commit/73fac32511eefdd45d8f00fecc2b8cc5408ea6d5", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rails/rails/commit/73fac32511eefdd45d8f00fecc2b8cc5408ea6d5" }, { "reference_url": "https://rubyonrails.org/2024/5/17/Rails-Versions-7-0-8-2-and-7-1-3-3-have-been-released", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://rubyonrails.org/2024/5/17/Rails-Versions-7-0-8-2-and-7-1-3-3-have-been-released" }, { "reference_url": "https://rubyonrails.org/2024/5/17/Rails-Versions-7-0-8-3-has-been-released", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://rubyonrails.org/2024/5/17/Rails-Versions-7-0-8-3-has-been-released" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34341", "reference_id": "CVE-2024-34341", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34341" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-34341.yml", "reference_id": "CVE-2024-34341.YML", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-34341.yml" }, { "reference_url": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99", "reference_id": "GHSA-qjqp-xr96-cj99", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-07T18:19:32Z/" } ], "url": "https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81201?format=api", "purl": "pkg:npm/trix@2.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65h2-knnz-ubch" }, { "vulnerability": "VCID-8buu-wy2s-s7e3" }, { "vulnerability": "VCID-8zkf-ben4-abhq" }, { "vulnerability": "VCID-b8yj-t5d4-ebgp" }, { "vulnerability": "VCID-enpr-zw36-c3bs" }, { "vulnerability": "VCID-jybu-5yrx-4ydm" }, { "vulnerability": "VCID-n75e-6zy4-yqaq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.1.1" } ], "aliases": [ "CVE-2024-34341", "GHSA-qjqp-xr96-cj99" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nchh-dnkh-tbev" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/trix@2.0.3" }