CVE-2023-41592
Cross-site Scripting (XSS) vulnerability in froala/wysiwyg-editor (Packagist)
What is CVE-2023-41592 About?
Froala Editor versions 4.0.1 to 4.1.1 are susceptible to a Cross-site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject malicious scripts into web pages, leading to various client-side attacks. Exploitation is typically straightforward, often requiring user interaction to trigger, but can have significant impact on user sessions and data integrity.
Affected Software
- froala/wysiwyg-editor
- >4.0.1, <4.1.4
- froala-editor
- >4.0.1, <4.1.4
Technical Details
This Cross-site Scripting (XSS) vulnerability exists within Froala Editor, affecting versions 4.0.1 through 4.1.1. An attacker can inject arbitrary client-side scripts, typically by embedding malicious code in content processed or rendered by the editor. When this content is subsequently viewed by another user, the injected script executes within the victim's browser context. This could involve encoding issues, improper validation of user-supplied input, or insufficient sanitization of HTML tags and attributes, allowing script execution through mechanisms like <img> tags with malformed src or onerror attributes, or <script> tags that are not properly disarmed.
What is the Impact of CVE-2023-41592?
Successful exploitation may allow attackers to execute arbitrary script code in the context of the victim's browser, leading to session hijacking, defacement of the web application, redirection to malicious sites, or theft of sensitive cookie-based information.
What is the Exploitability of CVE-2023-41592?
Exploitation of this XSS vulnerability generally has a moderate complexity. It typically requires an attacker to submit specially crafted input through a Froala Editor instance, and then a victim user to view the rendered content containing the malicious script. Authentication requirements depend on whether the editor functionality is accessible to unauthenticated users; if not, attacker authentication would be required to inject content. No special privileges are usually needed beyond the ability to input data into the editor. This is typically a remote vulnerability, as the attacker doesn't need direct access to the server or client machine. The likelihood of exploitation increases if the editor is used for publicly accessible content or by a large number of users without strict input sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-41592?
Available Upgrade Options
- froala/wysiwyg-editor
- >4.0.1, <4.1.4 → Upgrade to 4.1.4
- froala-editor
- >4.0.1, <4.1.4 → Upgrade to 4.1.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://hacker.soarescorp.com/cve/2023-41592
- https://github.com/froala/wysiwyg-editor/issues/4612#issuecomment-1729818089
- https://owasp.org/Top10/A03_2021-Injection/
- https://osv.dev/vulnerability/GHSA-hvpq-7vcc-5hj5
- https://nvd.nist.gov/vuln/detail/CVE-2023-41592
- https://owasp.org/Top10/A03_2021-Injection
- https://froala.com/wysiwyg-editor/changelog/#4.1.4
- https://owasp.org/www-project-top-ten
- https://github.com/froala/wysiwyg-editor
- https://hacker.soarescorp.com/cve/2023-41592/
What are Similar Vulnerabilities to CVE-2023-41592?
Similar Vulnerabilities: CVE-2023-38831 , CVE-2023-39906 , CVE-2023-37905 , CVE-2023-41485 , CVE-2023-36657
