Advertisement






Editor Froala Version 3.2.6-1 Stored XSS and Html Code Injection

CVE Category Price Severity
CVE-2021-39815 CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2021-03-07
CPE
cpe:Not specified
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021030037

Below is a copy:

Editor Froala Version 3.2.6-1 Stored XSS and Html Code Injection
#Exploit Title: Stored XSS and Html Code Injection Editor Froala Version 3.2.6-1 
# Date:06.03.2021
# Author: Vincent666 ibn Winnie
# Software Link: https://froala.com/wysiwyg-editor/
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# My Youtube Channel: https://www.youtube.com/channel/UCZOWpC2dW9sipPq5z63C2rQ

PoC:

In the Froala I used xss code in base 64 and some tags for html code injection.

Vuln Fields: Embed Url,Insert Link,Insert Files,Insert Video,etc.

Example with Insert Files or Insert Image:

Click browse files  choose file img  from computer 

https://imgur.com/a/WIfQQw5

Insert on page , click on image and choose Insert Link and paste XSS code:

https://imgur.com/a/P59ePrm

And insert! Stored XSS + Full Html Code Injection Deface page.

https://imgur.com/a/Ksc5VWX

XSS Code:

https://pastebin.com/jUUXQbzs

Video with XSS and Html Code Injection:

https://www.youtube.com/watch?v=QO2XiR8N1P0

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.