XSS vulnerability found in popular WYSIWYG website editor

The security flaw was found in how HTML sanitizing is performed.

A cross-site scripting (XSS) vulnerability has been found in a WYSIWYG editor used by at least 30,000 websites. 

Discovered by Bishop Fox security consultant Chris Davis and publicly disclosed on Wednesday, the bug, tracked as CVE-2021-28114, impacts Froala version 3.2.6 and earlier. 

Froala is a lightweight What-You-See-Is-What-You-Get (WYSIWYG) HTML rich text editor for developers and content creators. 

Wappalyzer estimates that Froala is in use by approximately 30,000 web domains. 

According to Bishop Fox, the WYSIWYG editor contains a security flaw in its HTML sanitization parsing protocol, allowing attackers to bypass existing XSS protections. 

The vulnerability can be triggered by inserting a JavaScript payload in an HTML event handler within specific HTML and MathML tags, which will cause the parser to mutate the payload into JavaScript commands. 

"The XSS is caused by a confusion during the HTML parsing sequence," Davis said. "The < math > tag causes the parser to switch its namespace context from HTML to MathML, which does not parse in the same manner as HTML. The < iframe > and embedded HTML comment < !-- causes the parser to switch context during the tokenization phase of HTML parsing and read the strings that follow as user data (RCDATA) rather than computer instructions."

screenshot-2021-06-02-at-06-32-37.png

Bishop Fox

As a result, XSS can be triggered. Cross-site scripting attacks often allow attackers to act as a victim user when they interact with a vulnerable application, and consequences can range from privilege escalation to data leaks or, in the worst scenarios, actions such as forcing an unauthorized fund transfer. 

"In Froala's case the vulnerability may reflect itself as either stored or reflected depending on the application that uses it and therefore the impact will vary," the researcher says. "The context of the application leveraging Froala will also dictate the impact of the vulnerability."

CVE-2021-28114 was first discovered on February 26 and Froala was contacted on March 4. The vendor developed and released a patch in version 3.2.7 on May 18, however, Bishop Fox retested the software and found that the bug, in some configurations, had not been fully resolved. While a public disclosure timeline extension was offered, no adjustments were made. 

When contacted, the vendor pointed us to the changelog. XSS bugs were previously patched in versions 3.2.2 and 3.2.3.

To mitigate the risk of this vulnerability, users should upgrade to at least version 3.2.7. The latest version available, v.4.0, was released on June 1. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0