Updated advisory posts against rubysec/ruby-advisory-db@2235b2d

Author: jasnow

advisories/_posts/2025-12-31-GHSA-g9jg-w8vm-g96v.md

@@ -0,0 +1,44 @@
+---
+layout: advisory
+title: 'GHSA-g9jg-w8vm-g96v (action_text-trix): Trix has a stored XSS vulnerability
+  through its attachment attribute'
+comments: false
+categories:
+- action_text-trix
+advisory:
+  gem: action_text-trix
+  ghsa: g9jg-w8vm-g96v
+  url: https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v
+  title: Trix has a stored XSS vulnerability through its attachment attribute
+  date: 2025-12-31
+  description: |
+    ### Impact
+
+    The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS
+    attacks through attachment payloads.
+
+    An attacker could inject malicious code into a data-trix-attachment
+    attribute that, when rendered as HTML and clicked on, could execute
+    arbitrary JavaScript code within the context of the user's session,
+    potentially leading to unauthorized actions being performed or
+    sensitive information being disclosed.
+
+    ### Patches
+
+    Update Recommendation: Users should upgrade to Trix editor
+    version 2.1.16 or later.
+
+    ### Resources
+
+    The XSS vulnerability was reported by HackerOne researcher
+    [michaelcheers](https://hackerone.com/michaelcheers?type=user).
+  cvss_v3: 4.6
+  patched_versions:
+  - ">= 2.1.16"
+  related:
+    url:
+    - https://github.com/basecamp/trix/security/advisories/GHSA-g9jg-w8vm-g96v
+    - https://github.com/basecamp/trix/releases/tag/v2.1.16
+    - https://github.com/basecamp/trix/commit/73c20cf03ab2b56c0ef9c9b1aaf63f2de44f4010
+    - https://github.com/advisories/GHSA-g9jg-w8vm-g96v
+---