Description
Froala WYSIWYG HTML Editor is a lightweight WYSIWYG HTML Editor written in JavaScript that enables rich text editing capabilities for web applications. A DOM-based cross-site scripting (XSS) vulnerability exists in versions before 3.2.3 because HTML code in the editor is not correctly sanitized when inserted into the DOM.
Recommendation
Update the froala-editor package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.2.3
- Patched version(s): 3.2.3
References
- GHSA-h236-g5gh-vq6c
- blog.compass-security.com
- compass-security.com
- snyk.io
- packetstormsecurity.com
- froala.com
- CVE-2019-19935
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Froala WYSIWYG editor allows cross-site scripting (XSS) - CVE-2024-51434
- mongosh vulnerable to local privilege escalation - CVE-2025-1756
- @langchain/community SQL Injection vulnerability - CVE-2024-7042
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- froala-editor
Anything's wrong? Let us know Last updated on January 29, 2023