CVE-2024-43368
6.50.10%
Trix Editor XSS: The 'Trust Me, I'm Not HTML' Bypass
Amit Schendel
Senior Security ResearcherJan 1, 2026·4 min read·5 visits
PoC Available
Executive Summary (TL;DR)
Developers patched an XSS vulnerability by sanitizing content labeled as 'text/html'. Attackers bypassed this by labeling their malicious HTML as literally anything else (e.g., 'text/anything'). The renderer, ignoring the label, executed the code via innerHTML anyway. Fixed in version 2.1.4.
A logic flaw in Trix Editor's attachment handling allowed attackers to bypass XSS protections by simply mislabeling the content type of malicious payloads.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS Score
6.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NEPSS Probability
0.10%
Top 100% most exploited
Affected Systems
Basecamp Trix EditorRuby on Rails applications using the actiontext gem (older versions)Any web application embedding Trix < 2.1.4
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Trix Basecamp | < 2.1.4 | 2.1.4 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-79 (Cross-site Scripting) |
| CVSS v3.1 | 6.5 (Medium) |
| Attack Vector | Network (User Interaction Required) |
| Impact | Confidentiality & Integrity (High) |
| Exploit Status | PoC Available |
| Patch Status | Fixed in v2.1.4 |
MITRE ATT&CK Mapping
CWE-79
Cross-site Scripting
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Known Exploits & Detection
Vulnerability Timeline
Vulnerability Disclosed
2024-08-16
Patch Merged (v2.1.4)
2024-08-20