GHSA-H236-G5GH-VQ6C

Vulnerability from github – Published: 2022-02-10 23:32 – Updated: 2022-10-31 15:55
VLAI?
Summary
DOM-based cross-site scripting in Froala Editor
Details

Froala WYSIWYG HTML Editor is a lightweight WYSIWYG HTML Editor written in JavaScript that enables rich text editing capabilities for web applications. A DOM-based cross-site scripting (XSS) vulnerability exists in versions before 3.2.3 because HTML code in the editor is not correctly sanitized when inserted into the DOM. This allows an attacker that can control the editor content to execute arbitrary JavaScript in the context of the victim’s session.

Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard Create KEV Entry 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "froala-editor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-19935"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-11T17:34:13Z",
    "nvd_published_at": "2020-07-07T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Froala WYSIWYG HTML Editor is a lightweight WYSIWYG HTML Editor written in JavaScript that enables rich text editing capabilities for web applications. A DOM-based cross-site scripting (XSS) vulnerability exists in versions before 3.2.3 because HTML code in the editor is not correctly sanitized when inserted into the DOM. This allows an attacker that can control the editor content to execute arbitrary JavaScript in the context of the victim\u2019s session.",
  "id": "GHSA-h236-g5gh-vq6c",
  "modified": "2022-10-31T15:55:40Z",
  "published": "2022-02-10T23:32:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19935"
    },
    {
      "type": "WEB",
      "url": "https://blog.compass-security.com/2020/07/yet-another-froala-0-day-xss"
    },
    {
      "type": "WEB",
      "url": "https://compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2020-004_DOM_XSS_in_Froala_WYSIWYG_HTML_Editor.txt"
    },
    {
      "type": "WEB",
      "url": "https://froala.com/wysiwyg-editor/changelog/#3.2.3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/froala/wysiwyg-editor-release"
    },
    {
      "type": "WEB",
      "url": "https://github.com/froala/wysiwyg-editor/compare/v3.0.5...v3.0.6"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/npm:froala-editor"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/158300/Froala-WYSIWYG-HTML-Editor-3.1.1-Cross-Site-Scripting.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "DOM-based cross-site scripting in Froala Editor"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.