CVE-2019-19935 — DOM-based cross-site scripting in Froala Editor

Description

Froala WYSIWYG HTML Editor is a lightweight WYSIWYG HTML Editor written in JavaScript that enables rich text editing capabilities for web applications. A DOM-based cross-site scripting (XSS) vulnerability exists in versions before 3.2.3 because HTML code in the editor is not correctly sanitized when inserted into the DOM. This allows an attacker that can control the editor content to execute arbitrary JavaScript in the context of the victim’s session.

How to fix CVE-2019-19935

To remediate CVE-2019-19935, upgrade the affected package to a fixed version below.

—upgrade to 3.2.3 or later

Is CVE-2019-19935 being exploited?

Low — EPSS is 2.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.2.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-19935
PATCHgithub.com/froala/wysiwyg-editor-release
WEBpacketstormsecurity.com/files/158300/Froala-WYSIWYG-HTML-Editor-3.1.1-Cross-Site-Scripting.html
WEBblog.compass-security.com/2020/07/yet-another-froala-0-day-xss