Tune into our first episode of Tool Talk: a how-to series for hackers. REGISTER ›

Froala Editor, Version 3.2.6 Advisory

High-Risk Security Vulnerability found by Bishop Fox Research Team

Share

FROALA EDITOR ADVISORY SUMMARY

The following describes an identified vulnerability in the Froala application in version 3.2.6. Froala is in use on thousands of websites (an estimated 30k sites according to wappalyzer), but the risk and impact of this vulnerability on those sites depend on the details of the application in which Froala is used. The use of existing XSS protections, and whether users can control the content inside the editor all affect the exploitability of this vulnerability.

Impact

The XSS in Froala could be used maliciously to control affected sites’ user experience and force actions on behalf of users unbeknownst to them (e.g., a bank transfer in worst case scenarios). Additionally, XSS is commonly used by attackers to escalate privileges or exfiltrate sensitive data. In Froala's case the vulnerability may reflect itself as either stored or reflected depending on the application that uses it and therefore the impact will vary. The context of the application leveraging Froala will also dictate the impact of the vulnerability.

High Risk Level


Affected Vendor

Product Vendor

Product Name

Affected Version

Froala

Froala Editor

Version 3.2.6 and earlier

Product Description

Froala Editor is a What-You-See-Is-What-You-Get (WYSIWYG) HTML rich-text editor. It is typically included in third-party websites to provide text editing functionality, including HTML text. The project’s official website is https://froala.com. The latest version of the application is 3.2.7, released on May 18, 2021.

Vulnerabilities List:

One CROSS-SITE SCRIPTING vulnerability was identified within the Froala Editor application. The vulnerability is described in the sections below.

Solution

Update to version 3.2.7 and leverage the Full Feature configuration of the editor as other configurations such as Full Page are unpatched as of the time of this advisory.

VULNERABILITIES

CROSS-SITE SCRIPTING

Froala what-you-see-is-what-you-get (WYSIWYG) Editor version 3.2.6 is affected by a vulnerability in its HTML sanitization parsing, which allows an attacker to bypass built-in cross-site scripting (XSS) protections and execute arbitrary JavaScript code. The JavaScript code was executed within the context of the application that loaded Froala.

CVE ID

Security Risk

Impact

Access Vector

CVE-2021-28114 High Information disclosure, Escalation of privileges Remote

The XSS can be triggered by inserting a JavaScript payload in an HTML event handler nested within specific HTML and MathML tags (shown below); these tags will cause the HTML parser to mutate the following payload into executed JavaScript instructions:

<math><iframe><!--</iframe><img src onerror=alert("XSS")

FIGURE 1 – XSS payload

Inserting the payload into the Froala Editor while in the Code View functionality of the editor or through the editor's API with $().html.set('[PAYLOAD]') results in JavaScript execution:

JavaScript alert triggered by XSS after Inserting the payload into the Froala Editor
FIGURE 2 - JavaScript alert triggered by XSS


The XSS is caused by a confusion during the HTML parsing sequence. The math tag causes the parser to switch its namespace context from HTML to MathML, which does not parse in the same manner as HTML. The iframe and embedded HTML comment !-- causes the parser to switch context during the tokenization phase of HTML parsing and read the strings that follow as user data (RCDATA) rather than computer instructions. The parsing process also mutates the payload, adding an equals sign [=] and comments ["].

The parsing process attempts to close the HTML comment out with a closing comment tag -- because the editor believes the entire payload string is nested in a comment; however, the opening comment !— is contained in the iframe tags and does not affect anything after the closing iframe tag. Since the closing comment string added during parsing does not have an opening tag to close; it is considered to be RCDATA by the HTML parser and embeds as -->. This process results in the XSS payload being written to the HTML document, as shown below:

<p>
    <iframe><!--</iframe>
        <img src="" onerror="alert("XSS")" style="" class="fr-fic fr-dii">
-->
</p>

FIGURE 3 – HTML injected as it is stored in source code

The impact of this vulnerability depends on the context in which Froala Editor is used and how the editor is leveraged.

Credits

Timeline

  • Initial discovery: 02/26/2021
  • Contact with vendor: 03/04/2021
  • Vendor acknowledged receipt vulnerability report: 03/05/2021
  • Contact with vendor for follow-up: 04/26/2021
  • Vendor confirmed planned patch for late May: 04/26/2021
  • Vendor released patched version 3.2.7: 05/18/2021
  • Version 3.2.7 retested: 5/24/2021
  • Contact with vendor; disclosed the issue was not resolved in all version of the editor. Offer of publication extension: 5/24/2021
  • Vendor acknowledged, no adjustment made to timeline: 5/24/2021
  • Vulnerabilities publicly disclosed: 06/02/2021

Chris davis

About the author, Chris Davis

Senior Security Consultant

Chris Davis is a Senior Security Consultant at Bishop Fox. His areas of expertise are application penetration testing (static and dynamic) and external network penetration testing.

Chris actively conducts independent security research and has been credited with the discovery of 40 CVEs (including CVE-2019-7551 and CVE-2018-17150) on enterprise-level, highly distributed software. The vulnerabilities he identified included remote code execution and cross-site scripting (XSS).
More by Chris

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.