Miggo Logo

CVE-2020-22864:
Cross site scripting in froala-editor

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.57339%
Published
10/28/2021
Updated
2/13/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
froala-editornpm<= 4.0.64.0.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in the video insertion functionality where user-controlled embedded code is processed. The GitHub fix (418sec/wysiwyg-editor#1) shows the vulnerability was in line 188 of video.min.js where input sanitization was missing for dangerous URI schemes. The patch added .replace() calls to remove 'data:' and 'javascript:' prefixes, confirming the vulnerable code path handled unsanitized embed code insertion. The CVE description and reproduction steps specifically implicate the video embedding feature's input handling as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross sit* s*riptin* (XSS) vuln*r**ility in t** Ins*rt Vi**o *un*tion o* *ro*l* WYSIWY* **itor *llows *tt**k*rs to *x**ut* *r*itr*ry w** s*ripts or *TML.

Reasoning

T** vuln*r**ility m*ni**sts in t** vi**o ins*rtion *un*tion*lity w**r* us*r-*ontroll** *m****** *o** is pro**ss**. T** *it*u* *ix (***s**/wysiwy*-**itor#*) s*ows t** vuln*r**ility w*s in lin* *** o* `vi**o.min.js` w**r* input s*nitiz*tion w*s missin*