Add CVE-2024-34341 for actiontext (#784)

ddalcino · web-flow · commit 0a89cf8a3539 · 2024-06-02T22:00:21.000-07:00
diff --git a/gems/actiontext/CVE-2024-34341.yml b/gems/actiontext/CVE-2024-34341.yml
@@ -0,0 +1,72 @@
+---
+gem: actiontext
+cve: 2024-34341
+ghsa: qjqp-xr96-cj99
+url: https://github.com/advisories/GHSA-qjqp-xr96-cj99
+title: Arbitrary Code Execution Vulnerability in Trix Editor included in ActionText
+date: 2024-05-07
+description: |
+  The ActionText gem includes a copy of the Trix rich text editor.
+  Prior to versions 7.0.8.3 and 7.1.3.3, ActionText included a version of Trix that
+  is vulnerable to arbitrary code execution when
+  copying and pasting content from the web or other documents with markup into the editor.
+  The vulnerability stems from improper sanitization of pasted content, allowing an attacker
+  to embed malicious scripts which are executed within the context of the application.
+
+  # Vulnerable Versions:
+    * 7.1 series older than 7.1.3.3
+    * 7.0 series older than 7.0.8.3
+    * All versions of ActionText older than 7.0
+
+  # Fixed Versions:
+    * 7.1.3.3
+    * 7.0.8.3
+
+  # Vector:
+
+  Bug 1: When copying content manipulated by a script, such as:
+  ```javascript
+  document.addEventListener('copy', function(e){
+    e.clipboardData.setData('text/html', '<div><noscript><div class="123</noscript>456<img src=1 onerror=alert(1)//"></div></noscript></div>');
+    e.preventDefault();
+  });
+  ```
+  and pasting into the Trix editor, the script within the content is executed.
+
+  Bug 2: Similar execution occurs with content structured as:
+
+  ```javascript
+  document.write(`copy<div data-trix-attachment="{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=alert(101)&gt;HELLO123&quot;}"></div>me`);
+  ```
+
+  # Impact:
+
+  An attacker could exploit these vulnerabilities to execute arbitrary JavaScript code
+  within the context of the user's session, potentially leading to unauthorized actions
+  being performed or sensitive information being disclosed.
+
+  # Remediation:
+
+  Update Recommendation: Users of ActionText 7.0 should upgrade to ActionText version 7.0.8.3 or later.
+  Users of ActionText 7.1 should upgrade to version 7.1.3.3 or later.
+  These updated versions incorporate proper sanitization of input from copied content.
+
+  CSP Enhancement: Additionally, enhancing the Content Security Policy (CSP) to disallow inline scripts
+  can significantly mitigate the risk of such vulnerabilities.
+  Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin
+  are executed, and explicitly prohibit inline scripts using script-src-elem.
+patched_versions:
+  - "~> 7.0.8.3"
+  - ">= 7.1.3.3"
+cvss_v3: 5.4
+related:
+  url:
+    - https://discuss.rubyonrails.org/t/xss-vulnerabilities-in-trix-editor/85803
+    - https://github.com/basecamp/trix/releases/tag/v2.1.1
+    - https://github.com/basecamp/trix/pull/1147
+    - https://github.com/basecamp/trix#1149
+    - https://github.com/basecamp/trix#1153
+    - https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99
+    - https://github.com/basecamp/trix/commit/1a5c68a14d48421fc368e30026f4a7918028b7ad
+    - https://github.com/basecamp/trix/commit/841ff19b53f349915100bca8fcb488214ff93554
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-34341
