CVE-2019-19935
MEDIUM6.1EPSS 2.2%DOM-based cross-site scripting in Froala Editor
發布日:2022/2/10修改日:2023/11/8
描述
Froala WYSIWYG HTML Editor is a lightweight WYSIWYG HTML Editor written in JavaScript that enables rich text editing capabilities for web applications. A DOM-based cross-site scripting (XSS) vulnerability exists in versions before 3.2.3 because HTML code in the editor is not correctly sanitized when inserted into the DOM. This allows an attacker that can control the editor content to execute arbitrary JavaScript in the context of the victim’s session.
受影響套件(1)
- npm/froala-editorfrom 0, < 3.2.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-19935
- PATCHhttps://github.com/froala/wysiwyg-editor-release
- WEBhttp://packetstormsecurity.com/files/158300/Froala-WYSIWYG-HTML-Editor-3.1.1-Cross-Site-Scripting.html
- WEBhttps://blog.compass-security.com/2020/07/yet-another-froala-0-day-xss
- WEBhttps://compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2020-004_DOM_XSS_in_Froala_WYSIWYG_HTML_Editor.txt
- WEBhttps://froala.com/wysiwyg-editor/changelog/#3.2.3
- WEBhttps://github.com/froala/wysiwyg-editor/compare/v3.0.5...v3.0.6
- WEBhttps://snyk.io/vuln/npm:froala-editor