CVE-2025-46812

Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.15 are vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. This issue has been patched in version 2.1.15.

CVSS

No CVSS.

References

Link	Resource
https://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191
https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h

Configurations

No configuration.

History

12 May 2025, 17:32

Type	Values Removed	Values Added
Summary		(es) Trix es un editor de texto enriquecido con una interfaz intuitiva para la escritura diaria. Las versiones anteriores a la 2.1.15 son vulnerables a ataques XSS al pegar código malicioso. Un atacante podría engañar a un usuario para que copie y pegue código malicioso que ejecutaría código JavaScript arbitrario en su sesión, lo que podría provocar acciones no autorizadas o la divulgación de información confidencial. Este problema se ha corregido en la versión 2.1.15.

08 May 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-08 20:15

Updated : 2025-05-12 17:32

NVD link : CVE-2025-46812

Mitre link : CVE-2025-46812

CVE.ORG link : CVE-2025-46812

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-46812", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-08T20:15:30.950", "references": [{"url": "https://github.com/basecamp/trix/commit/75226089646841b0f774d8b152e5ec27d2d9e191", "source": "security-advisories@github.com"}, {"url": "https://github.com/basecamp/trix/security/advisories/GHSA-mcrw-746g-9q8h", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.15 are vulnerable to XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. This issue has been patched in version 2.1.15."}, {"lang": "es", "value": "Trix es un editor de texto enriquecido con una interfaz intuitiva para la escritura diaria. Las versiones anteriores a la 2.1.15 son vulnerables a ataques XSS al pegar c\u00f3digo malicioso. Un atacante podr\u00eda enga\u00f1ar a un usuario para que copie y pegue c\u00f3digo malicioso que ejecutar\u00eda c\u00f3digo JavaScript arbitrario en su sesi\u00f3n, lo que podr\u00eda provocar acciones no autorizadas o la divulgaci\u00f3n de informaci\u00f3n confidencial. Este problema se ha corregido en la versi\u00f3n 2.1.15."}], "lastModified": "2025-05-12T17:32:52.810", "sourceIdentifier": "security-advisories@github.com"}