Editor Froala Version 3.2.6-1 Stored XSS and Html Code Injection

2021.03.07
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#Exploit Title: Stored XSS and Html Code Injection Editor Froala Version 3.2.6-1 # Date:06.03.2021 # Author: Vincent666 ibn Winnie # Software Link: https://froala.com/wysiwyg-editor/ # Tested on: Windows 10 # Web Browser: Mozilla Firefox # My Youtube Channel: https://www.youtube.com/channel/UCZOWpC2dW9sipPq5z63C2rQ PoC: In the Froala I used xss code in base 64 and some tags for html code injection. Vuln Fields: Embed Url,Insert Link,Insert Files,Insert Video,etc. Example with Insert Files or Insert Image: Click browse files – choose file img from computer https://imgur.com/a/WIfQQw5 Insert on page , click on image and choose Insert Link and paste XSS code: https://imgur.com/a/P59ePrm And insert! Stored XSS + Full Html Code Injection Deface page. https://imgur.com/a/Ksc5VWX XSS Code: https://pastebin.com/jUUXQbzs Video with XSS and Html Code Injection: https://www.youtube.com/watch?v=QO2XiR8N1P0


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top