FROALA EDITOR ADVISORY SUMMARY
The following describes an identified vulnerability in the Froala application in version 3.2.6. Froala is in use on thousands of websites (an estimated 30k sites according to wappalyzer), but the risk and impact of this vulnerability on those sites depend on the details of the application in which Froala is used. The use of existing XSS protections, and whether users can control the content inside the editor all affect the exploitability of this vulnerability.
The XSS in Froala could be used maliciously to control affected sites’ user experience and force actions on behalf of users unbeknownst to them (e.g., a bank transfer in worst case scenarios). Additionally, XSS is commonly used by attackers to escalate privileges or exfiltrate sensitive data. In Froala's case the vulnerability may reflect itself as either stored or reflected depending on the application that uses it and therefore the impact will vary. The context of the application leveraging Froala will also dictate the impact of the vulnerability.
High Risk Level
Version 3.2.6 and earlier
Froala Editor is a What-You-See-Is-What-You-Get (WYSIWYG) HTML rich-text editor. It is typically included in third-party websites to provide text editing functionality, including HTML text. The project’s official website is https://froala.com. The latest version of the application is 3.2.7, released on May 18, 2021.
One CROSS-SITE SCRIPTING vulnerability was identified within the Froala Editor application. The vulnerability is described in the sections below.
Update to version 3.2.7 and leverage the Full Feature configuration of the editor as other configurations such as Full Page are unpatched as of the time of this advisory.
|CVE-2021-28114||High||Information disclosure, Escalation of privileges||Remote|
<math><iframe><!--</iframe><img src onerror=alert("XSS")
FIGURE 1 – XSS payload
Inserting the payload into the Froala Editor while in the Code View functionality of the editor or through the editor's API with
The XSS is caused by a confusion during the HTML parsing sequence. The
math tag causes the parser to switch its namespace context from HTML to MathML, which does not parse in the same manner as HTML. The
iframe and embedded HTML comment
!-- causes the parser to switch context during the tokenization phase of HTML parsing and read the strings that follow as user data (
RCDATA) rather than computer instructions. The parsing process also mutates the payload, adding an equals sign
[=] and comments
The parsing process attempts to close the HTML comment out with a closing comment tag
-- because the editor believes the entire payload string is nested in a comment; however, the opening comment
!— is contained in the
iframe tags and does not affect anything after the closing
iframe tag. Since the closing comment string added during parsing does not have an opening tag to close; it is considered to be
RCDATA by the HTML parser and embeds as
-->. This process results in the XSS payload being written to the HTML document, as shown below:
<p> <iframe><!--</iframe> <img src="" onerror="alert("XSS")" style="" class="fr-fic fr-dii"> --> </p>
FIGURE 3 – HTML injected as it is stored in source code
The impact of this vulnerability depends on the context in which Froala Editor is used and how the editor is leveraged.
- Initial discovery: 02/26/2021
- Contact with vendor: 03/04/2021
- Vendor acknowledged receipt vulnerability report: 03/05/2021
- Contact with vendor for follow-up: 04/26/2021
- Vendor confirmed planned patch for late May: 04/26/2021
- Vendor released patched version 3.2.7: 05/18/2021
- Version 3.2.7 retested: 5/24/2021
- Contact with vendor; disclosed the issue was not resolved in all version of the editor. Offer of publication extension: 5/24/2021
- Vendor acknowledged, no adjustment made to timeline: 5/24/2021
- Vulnerabilities publicly disclosed: 06/02/2021
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.