Advertisement






Editor Froala Version 3.2.6-1 Stored XSS and Html Code Injection

CVE Category Price Severity
CVE-2021-39815 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2021-03-07
CPE
cpe:Not specified
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021030037

Below is a copy:

Editor Froala Version 3.2.6-1 Stored XSS and Html Code Injection
#Exploit Title: Stored XSS and Html Code Injection Editor Froala Version 3.2.6-1 
# Date:06.03.2021
# Author: Vincent666 ibn Winnie
# Software Link: https://froala.com/wysiwyg-editor/
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# My Youtube Channel: https://www.youtube.com/channel/UCZOWpC2dW9sipPq5z63C2rQ

PoC:

In the Froala I used xss code in base 64 and some tags for html code injection.

Vuln Fields: Embed Url,Insert Link,Insert Files,Insert Video,etc.

Example with Insert Files or Insert Image:

Click browse files  choose file img  from computer 

https://imgur.com/a/WIfQQw5

Insert on page , click on image and choose Insert Link and paste XSS code:

https://imgur.com/a/P59ePrm

And insert! Stored XSS + Full Html Code Injection Deface page.

https://imgur.com/a/Ksc5VWX

XSS Code:

https://pastebin.com/jUUXQbzs

Video with XSS and Html Code Injection:

https://www.youtube.com/watch?v=QO2XiR8N1P0

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum