The following describes an identified vulnerability in the Froala application in version 3.2.6. Froala is in use on thousands of websites (an estimated 30k sites according to wappalyzer), but the risk and impact of this vulnerability on those sites depend on the details of the application in which Froala is used. The use of existing XSS protections, and whether users can control the content inside the editor all affect the exploitability of this vulnerability.
The XSS in Froala could be used maliciously to control affected sites’ user experience and force actions on behalf of users unbeknownst to them (e.g., a bank transfer in worst case scenarios). Additionally, XSS is commonly used by attackers to escalate privileges or exfiltrate sensitive data. In Froala's case the vulnerability may reflect itself as either stored or reflected depending on the application that uses it and therefore the impact will vary. The context of the application leveraging Froala will also dictate the impact of the vulnerability.
Version 3.2.6 and earlier
Froala Editor is a What-You-See-Is-What-You-Get (WYSIWYG) HTML rich-text editor. It is typically included in third-party websites to provide text editing functionality, including HTML text. The project’s official website is https://froala.com. The latest version of the application is 3.2.7, released on May 18, 2021.
One vulnerability was identified within the Froala Editor application:
The vulnerability is described in the sections below.
Update to version 3.2.7 and leverage the Full Feature configuration of the editor as other configurations such as Full Page are unpatched as of the time of this advisory.
|CVE-2021-28114||High||Information disclosure, Escalation of privileges||Remote|
<math><iframe><!--</iframe><img src onerror=alert("XSS")>
FIGURE 1 – XSS payload
Inserting the payload into the Froala Editor while in the Code View functionality of the editor or through the editor's API with
The XSS is caused by a confusion during the HTML parsing sequence. The
tag causes the parser to switch its namespace context from HTML to MathML, which does not parse in the same manner as HTML. The
and embedded HTML comment
causes the parser to switch context during the tokenization phase of HTML parsing and read the strings that follow as user data (
) rather than computer instructions. The parsing process also mutates the payload, adding an equals sign
The parsing process attempts to close the HTML comment out with a closing comment tag
because the editor believes the entire payload string is nested in a comment; however, the opening comment
is contained in the
tags and does not affect anything after the closing
tag. Since the closing comment string added during parsing does not have an opening tag to close; it is considered to be
by the HTML parser and embeds as
. This process results in the XSS payload being written to the HTML document, as shown below:
<p> <iframe><!--</iframe> <img src="" onerror="alert("XSS")" style="" class="fr-fic fr-dii"> --> </p>
FIGURE 3 – HTML injected as it is stored in source code
The impact of this vulnerability depends on the context in which Froala Editor is used and how the editor is leveraged.