Updated advisory posts against rubysec/ruby-advisory-db@0a89cf8

ddalcino · RubySec CI · commit 254a14036f5b · 2024-06-03T05:01:08.000Z
diff --git a/advisories/_posts/2024-05-07-CVE-2024-34341.md b/advisories/_posts/2024-05-07-CVE-2024-34341.md
@@ -0,0 +1,80 @@
+---
+layout: advisory
+title: 'CVE-2024-34341 (actiontext): Arbitrary Code Execution Vulnerability in Trix
+  Editor included in ActionText'
+comments: false
+categories:
+- actiontext
+advisory:
+  gem: actiontext
+  cve: 2024-34341
+  ghsa: qjqp-xr96-cj99
+  url: https://github.com/advisories/GHSA-qjqp-xr96-cj99
+  title: Arbitrary Code Execution Vulnerability in Trix Editor included in ActionText
+  date: 2024-05-07
+  description: |
+    The ActionText gem includes a copy of the Trix rich text editor.
+    Prior to versions 7.0.8.3 and 7.1.3.3, ActionText included a version of Trix that
+    is vulnerable to arbitrary code execution when
+    copying and pasting content from the web or other documents with markup into the editor.
+    The vulnerability stems from improper sanitization of pasted content, allowing an attacker
+    to embed malicious scripts which are executed within the context of the application.
+
+    # Vulnerable Versions:
+      * 7.1 series older than 7.1.3.3
+      * 7.0 series older than 7.0.8.3
+      * All versions of ActionText older than 7.0
+
+    # Fixed Versions:
+      * 7.1.3.3
+      * 7.0.8.3
+
+    # Vector:
+
+    Bug 1: When copying content manipulated by a script, such as:
+    ```javascript
+    document.addEventListener('copy', function(e){
+      e.clipboardData.setData('text/html', '<div><noscript><div class="123</noscript>456<img src=1 onerror=alert(1)//"></div></noscript></div>');
+      e.preventDefault();
+    });
+    ```
+    and pasting into the Trix editor, the script within the content is executed.
+
+    Bug 2: Similar execution occurs with content structured as:
+
+    ```javascript
+    document.write(`copy<div data-trix-attachment="{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=alert(101)&gt;HELLO123&quot;}"></div>me`);
+    ```
+
+    # Impact:
+
+    An attacker could exploit these vulnerabilities to execute arbitrary JavaScript code
+    within the context of the user's session, potentially leading to unauthorized actions
+    being performed or sensitive information being disclosed.
+
+    # Remediation:
+
+    Update Recommendation: Users of ActionText 7.0 should upgrade to ActionText version 7.0.8.3 or later.
+    Users of ActionText 7.1 should upgrade to version 7.1.3.3 or later.
+    These updated versions incorporate proper sanitization of input from copied content.
+
+    CSP Enhancement: Additionally, enhancing the Content Security Policy (CSP) to disallow inline scripts
+    can significantly mitigate the risk of such vulnerabilities.
+    Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin
+    are executed, and explicitly prohibit inline scripts using script-src-elem.
+  patched_versions:
+  - "~> 7.0.8.3"
+  - ">= 7.1.3.3"
+  cvss_v3: 5.4
+  related:
+    url:
+    - https://discuss.rubyonrails.org/t/xss-vulnerabilities-in-trix-editor/85803
+    - https://github.com/basecamp/trix/releases/tag/v2.1.1
+    - https://github.com/basecamp/trix/pull/1147
+    - https://github.com/basecamp/trix#1149
+    - https://github.com/basecamp/trix#1153
+    - https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99
+    - https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad
+    - https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-34341
+---
