############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Froala WYSIWYG HTML Editor # Vendor: Froala # CSNC ID: CSNC-2020-004 # CVE ID: CVE-2019-19935 # Subject: DOM XSS in Froala WYSIWYG HTML Editor # Severity: Medium # Effect: Remotely exploitable # Author: Emanuel Duss # Date: 2020-07-01 # ############################################################# Introduction ------------ Froala WYSIWYG HTML Editor is a lightweight WYSIWYG HTML Editor written in JavaScript that enables rich text editing capabilities for web applications [1]. Froala sanitizes the user input in order to prevent cross-site scripting attacks [2]. During a web application penetration test, Compass found a DOM-based cross-site scripting (XSS) [3] in the Froala WYSIWYG HTML Editor. HTML code in the editor is not correctly sanitized when inserted into the DOM. This allows an attacker that can control the editor content to execute arbitrary JavaScript in the context of the victim's session. Affected -------- * All versions of the Froala WYSIWYG HTML Editor The issue was found in December 2019 in version 3.0.6 and was still not fixed in July 2020 in version 3.1.1. Technical Summary ----------------- It's possible to perform DOM based XSS in the Froala editor by inserting the ` This can be verified by inserting the payload into the "Code View" of the editor. In this case, this is would be a self-XSS because the users would only attack themselves. However, it could be possible that untrusted data from a non-controlled source is loaded into the editor in order to exploit it. An example could be a web application where multiple users can edit the same content using this editor. An attacker can use this to execute own JavaScript code in the session of the victim. This can be abused to read the content of the victim's account, use the session to make further requests to the web application or read the cookies or web storage. Technical Details ----------------- # Correct Behavior According to the Froala tech support page "Why is the
The JavaScript console shows that legit HTML tags like `` or `` were inserted into the DOM but the ` The JavaScript console shows that the code is executed but the origin is `undefined`:

undefined # Example 2 Another example is the issue #3039 [8] that is marked as closed uses the `` tag to embed HTML / JavaScript code: [...] data = ""; [...] The JavaScript console shows that the code is executed but the origin is empty:

// empty line # Exploiting XSS with Undefined / Empty Origins Because the origin is not the same as where the PoC is hosted, it's not a typical XSS where an attacker could read the content of the victim's website, use the session to make further requests or access the cookies or web storage. It is however still possible to perform arbitrary redirects to other websites using the reference to the `window.top.location`: [...] data = ""; [...] This redirects to http://evil.example.net/. The same applies for the embed tag: [...] data = "" [...] Decoded base64 payload: This also redirects to http://evil.example.net/. This is not as nice and powerful as the "real" XSS attack from the beginning, but still something ;-). Vulnerability Classification ---------------------------- CVSS v3.1 Metrics [9]: * CVSS Base Score: 6.1 * CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Remediation ----------- This XSS issue is not fixed. The vendor can't tell any exact release date for a fixed version. Therefore, only trusted data or data that is already sanitized should be loaded into the editor. Timeline -------- 2019-12-05 Discovered vulnerability and informed customer. 2019-12-06 Contacted Froala and asked for security contact. Auto reply received, ticket #15328 opened. 2019-12-09 Asked again, got response. Contact via e-mail (support@froala.com) and ticket number. 2019-12-10 Sent vulnerability details. 2019-12-16 Froala confirmed vulnerability and that all Froala HTML editor versions are affected. 2019-12-19 Informed Froala about the closed XSS GitHub issues that are still not fixed. 2019-12-23 MITRE assigned CVE number CVE-2019-19935. 2019-12-26 Froala tells that this issue has high priority. Issue will be fixed after version 3.1.0. 2020-01-09 Asked Froala for updates on the issue. 2020-01-10 Froala tells that all reported issues will be fixed after version 3.1.1. 2020-02-21 Asked Froala for updates on the issue. No response. 2020-03-09 Asked Froala for updates on the issue. 2020-03-20 Froala tells that issue will be fixed in the next release. 2020-04-21 Asked Froala for updates on the issue. Froala denied that there is any XSS issue, even if they confirmed the issue before. Delivered a PoC and additional details that demonstrates and explains the issue in detail. Froala understands the issue and tells that it will be fixed in the next release (no exact release date known but it should be fixed in Q2 of 2020) 2020-05-01 Asked Froala for updates on the issue. Still no release date known. 2020-06-02 Asked Froala for updates on the issue. Still no release date known. 2020-06-23 Asked Froala for updates on the issue. Should be released in July. 2020-07-01 Public disclosure after Q2 has ended and more than 200 days after initial notification. References ---------- [1] https://froala.com/wysiwyg-editor/ [2] https://wysiwyg-editor.froala.help/hc/en-us/articles/115000428829-Why-is-the-script-tag-being-removed- [3] https://portswigger.net/web-security/cross-site-scripting/dom-based [4] https://portswigger.net/web-security/cross-site-scripting/cheat-sheet [5] https://www.w3schools.com/tags/att_iframe_srcdoc.asp [6] https://github.com/froala/wysiwyg-editor/issues?q=is%3Aissue+xss [7] https://github.com/froala/wysiwyg-editor/issues/3270 [8] https://github.com/froala/wysiwyg-editor/issues/3039 [9] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N&version=3.1