CVE-2024-34341 Overview
CVE-2024-34341 is a Cross-Site Scripting (XSS) vulnerability affecting Trix, a popular rich text editor developed by Basecamp. The vulnerability allows arbitrary code execution when users copy and paste content from external web pages or documents containing malicious markup into the Trix editor. The flaw stems from improper sanitization of pasted HTML content, enabling attackers to embed malicious scripts that execute within the context of the application.
Critical Impact
Attackers can execute arbitrary JavaScript code in the context of affected applications, potentially leading to session hijacking, data theft, or unauthorized actions on behalf of authenticated users.
Affected Products
- Trix Editor versions prior to 2.1.1
- Applications integrating vulnerable Trix Editor versions
- Ruby on Rails applications using Action Text with vulnerable Trix versions
Discovery Timeline
- 2024-05-07 - CVE-2024-34341 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-34341
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The Trix editor failed to properly sanitize HTML content when users paste markup from external sources. Specifically, the parseTrixDataAttribute function in html_parser.js did not sanitize HTML content stored in Trix data attributes, and the HTMLSanitizer class did not include noscript elements in its list of forbidden tags.
The network-accessible attack vector requires user interaction (pasting content), but once triggered, malicious scripts execute with the privileges of the victim user. This can lead to unauthorized access to sensitive data and the ability to perform actions on behalf of the user.
Root Cause
The root cause involves two distinct sanitization failures in the Trix editor:
Missing HTML sanitization in data attribute parsing: The parseTrixDataAttribute function in src/trix/models/html_parser.js parsed JSON data from Trix data attributes without sanitizing HTML content, allowing malicious markup to bypass security controls.
Incomplete forbidden elements list: The HTMLSanitizer class in src/trix/models/html_sanitizer.js did not include noscript elements in its DEFAULT_FORBIDDEN_ELEMENTS array, enabling attackers to use this element as a vector for script injection.
Attack Vector
An attacker can exploit this vulnerability by crafting malicious HTML content containing embedded scripts or utilizing noscript elements to bypass the sanitizer. When a user copies this content from an attacker-controlled webpage and pastes it into a Trix editor instance, the malicious payload executes in the victim's browser context.
The attack is network-based and requires user interaction through the paste action. Successful exploitation could allow attackers to steal session cookies, redirect users to malicious sites, modify page content, or perform actions with the victim's credentials.
// Security patch in src/trix/models/html_parser.js - Merge pull request #1149 from basecamp/paste-html-sanitize
const parseTrixDataAttribute = (element, name) => {
try {
- return JSON.parse(element.getAttribute(`data-trix-${name}`))
+ const data = JSON.parse(element.getAttribute(`data-trix-${name}`))
+
+ if (data.contentType === "text/html" && data.content) {
+ data.content = HTMLSanitizer.sanitize(data.content).getHTML()
+ }
+
+ return data
} catch (error) {
return {}
}
Source: GitHub Commit Update
// Security patch in src/trix/models/html_sanitizer.js - Merge pull request #1147 from basecamp/sanitize-noscript
const DEFAULT_ALLOWED_ATTRIBUTES = "style href src width height language class".split(" ")
const DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ")
-const DEFAULT_FORBIDDEN_ELEMENTS = "script iframe form".split(" ")
+const DEFAULT_FORBIDDEN_ELEMENTS = "script iframe form noscript".split(" ")
export default class HTMLSanitizer extends BasicObject {
static sanitize(html, options) {
Source: GitHub Commit Fix
Detection Methods for CVE-2024-34341
Indicators of Compromise
- Unexpected JavaScript execution originating from Trix editor instances
- Presence of noscript tags in Trix editor content where none should exist
- Suspicious data attributes containing unescaped HTML in editor elements
- Client-side errors or unexpected DOM modifications when pasting content
Detection Strategies
- Monitor web application logs for XSS-related events or Content Security Policy violations
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Review application JavaScript for calls to vulnerable Trix versions (prior to 2.1.1)
- Use browser developer tools to inspect Trix data attributes for unsanitized HTML content
Monitoring Recommendations
- Enable verbose logging for client-side JavaScript errors in production environments
- Configure web application firewalls (WAF) to detect XSS payloads in paste operations
- Monitor for CSP violation reports that may indicate exploitation attempts
- Set up alerts for unusual DOM manipulation patterns in rich text editor contexts
How to Mitigate CVE-2024-34341
Immediate Actions Required
- Upgrade Trix editor to version 2.1.1 or later immediately
- Review all applications using Trix editor to identify vulnerable deployments
- Implement Content Security Policy headers to mitigate XSS impact
- Audit recent user-submitted content for potential malicious payloads
Patch Information
Basecamp has released Trix version 2.1.1 which addresses this vulnerability. The fix includes proper sanitization of HTML content in the parseTrixDataAttribute function and adds noscript to the list of forbidden elements in the HTMLSanitizer class. Organizations should update to this version immediately.
For technical details, refer to:
- GitHub Security Advisory GHSA-qjqp-xr96-cj99
- GitHub Release v2.1.1
- Pull Request #1147
- Pull Request #1149
Workarounds
- Implement server-side HTML sanitization as an additional layer of defense before storing user content
- Deploy strict Content Security Policy headers to prevent inline script execution
- Disable paste functionality in Trix editor if not required for business operations
- Use a Web Application Firewall (WAF) configured to detect XSS payloads in request bodies
# Configuration example - Content Security Policy header for Apache
# Add to .htaccess or Apache configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'self';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
