CyberNews Briefs

XSS vulnerability found in popular WYSIWYG website editor

Security consultant at Bishop Fox Chris Davis recently discovered and publicly disclosed a new vulnerability in a popular tool used by at least 30,000 websites, a WYSIWYG editor. The bug is tracked as CVE-2021-28114 and impacts Froala version 3.2.6 and earlier. Froala operates as a WYSIWYG HTML rich text editor utilized by developers and content creators to operate websites across 30,000 different domains, according to Wappalyzer. The editing tool allegedly contains a security flaw in its HTML sanitization parsing protocol, allowing attackers to bypass protections.

Davis states that the vulnerability can be triggered simply by inserting a JavaScript payload in an HTML event handler with specific tags, which will cause the parser to mutate the payload into JapaScript commands. The XSS is caused by confusion on the tool’s end during the parsing sequence, says Davis. The cross-site scripting attack allows attackers to act as a victim user when they interact with vulnerable applications, resulting in privilege escalation, data leaks, or, in the worst case, unauthorized fund transfers.

Read More: XSS vulnerability found in popular WYSIWYG website editor

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.