Security consultant at Bishop Fox Chris Davis recently discovered and publicly disclosed a new vulnerability in a popular tool used by at least 30,000 websites, a WYSIWYG editor. The bug is tracked as CVE-2021-28114 and impacts Froala version 3.2.6 and earlier. Froala operates as a WYSIWYG HTML rich text editor utilized by developers and content creators to operate websites across 30,000 different domains, according to Wappalyzer. The editing tool allegedly contains a security flaw in its HTML sanitization parsing protocol, allowing attackers to bypass protections.
Davis states that the vulnerability can be triggered simply by inserting a JavaScript payload in an HTML event handler with specific tags, which will cause the parser to mutate the payload into JapaScript commands. The XSS is caused by confusion on the tool’s end during the parsing sequence, says Davis. The cross-site scripting attack allows attackers to act as a victim user when they interact with vulnerable applications, resulting in privilege escalation, data leaks, or, in the worst case, unauthorized fund transfers.
Read More: XSS vulnerability found in popular WYSIWYG website editor