Froala Editor Version 3.2.6

ADVISORY SUMMARY

The following describes an identified vulnerability in the Froala application in version 3.2.6. Froala is in use on thousands of websites (an estimated 30k sites according to wappalyzer), but the risk and impact of this vulnerability on those sites depend on the details of the application in which Froala is used. The use of existing XSS protections, and whether users can control the content inside the editor all affect the exploitability of this vulnerability.

Impact

The XSS in Froala could be used maliciously to control affected sites’ user experience and force actions on behalf of users unbeknownst to them (e.g., a bank transfer in worst case scenarios). Additionally, XSS is commonly used by attackers to escalate privileges or exfiltrate sensitive data. In Froala's case the vulnerability may reflect itself as either stored or reflected depending on the application that uses it and therefore the impact will vary. The context of the application leveraging Froala will also dictate the impact of the vulnerability.

 

Risk Level

High

Affected Vendor

Product Vendor

Product Name

Affected Version

Froala

Froala Editor

Version 3.2.6 and earlier


Product Description

Froala Editor is a What-You-See-Is-What-You-Get (WYSIWYG) HTML rich-text editor. It is typically included in third-party websites to provide text editing functionality, including HTML text. The project’s official website is https://froala.com. The latest version of the application is 3.2.7, released on May 18, 2021.


Vulnerabilities List:

One vulnerability was identified within the Froala Editor application:

CROSS-SITE SCRIPTING

The vulnerability is described in the sections below.

 

Solution

Update to version 3.2.7 and leverage the Full Feature configuration of the editor as other configurations such as Full Page are unpatched as of the time of this advisory.

 

VULNERABILITIES

CROSS-SITE SCRIPTING 

Froala what-you-see-is-what-you-get (WYSIWYG) Editor version 3.2.6 is affected by a vulnerability in its HTML sanitization parsing, which allows an attacker to bypass built-in cross-site scripting (XSS) protections and execute arbitrary JavaScript code. The JavaScript code was executed within the context of the application that loaded Froala.

 

CVE ID

Security Risk

Impact

Access Vector

CVE-2021-28114 High Information disclosure, Escalation of privileges Remote

 

The XSS can be triggered by inserting a JavaScript payload in an HTML event handler nested within specific HTML and MathML tags (shown below); these tags will cause the HTML parser to mutate the following payload into executed JavaScript instructions:

<math><iframe><!--</iframe><img src onerror=alert("XSS")>

FIGURE 1 – XSS payload

 

Inserting the payload into the Froala Editor while in the Code View functionality of the editor or through the editor's API with $().html.set('[PAYLOAD]') results in JavaScript execution:

JavaScript alert triggered by XSS

FIGURE 2 - JavaScript alert triggered by XSS

 

The XSS is caused by a confusion during the HTML parsing sequence. The <math> tag causes the parser to switch its namespace context from HTML to MathML, which does not parse in the same manner as HTML. The <iframe> and embedded HTML comment <!-- causes the parser to switch context during the tokenization phase of HTML parsing and read the strings that follow as user data (RCDATA) rather than computer instructions. The parsing process also mutates the payload, adding an equals sign [=] and comments ["].

The parsing process attempts to close the HTML comment out with a closing comment tag --> because the editor believes the entire payload string is nested in a comment; however, the opening comment <!— is contained in the iframe tags and does not affect anything after the closing iframe tag. Since the closing comment string added during parsing does not have an opening tag to close; it is considered to be RCDATA by the HTML parser and embeds as --&gt. This process results in the XSS payload being written to the HTML document, as shown below:

<p>
    <iframe><!--</iframe>
        <img src="" onerror="alert(&quot;XSS&quot;)" style="" class="fr-fic fr-dii">
--&gt;
</p>

FIGURE 3 HTML injected as it is stored in source code

 

The impact of this vulnerability depends on the context in which Froala Editor is used and how the editor is leveraged.

 

Credits

 

Timeline

  • Initial discovery: 02/26/2021 
  • Contact with vendor: 03/04/2021
  • Vendor acknowledged receipt vulnerability report: 03/05/2021
  • Contact with vendor for follow-up: 04/26/2021
  • Vendor confirmed planned patch for late May: 04/26/2021
  • Vendor released patched version 3.2.7: 05/18/2021
  • Version 3.2.7 retested: 5/24/2021
  • Contact with vendor; disclosed the issue was not resolved in all version of the editor. Offer of publication extension: 5/24/2021
  • Vendor acknowledged, no adjustment made to timeline: 5/24/2021
  • Vulnerabilities publicly disclosed: 06/02/2021