-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability manifests in the link insertion component where user-supplied preview text is rendered without proper sanitization. Attack payloads demonstrate HTML tag injection in the display text parameter of links (e.g., <b<button...>). The insertLink function in the link plugin is the primary candidate as it handles link creation logic. The XSS occurs because the function doesn't adequately escape or validate user-controlled content before writing it to the DOM, matching CWE-79's improper input neutralization pattern. While exact code isn't available, the vulnerability description and exploit patterns strongly implicate the link insertion functionality.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| froala/wysiwyg-editor | composer | >= 4.0.1, <= 4.1.3 | 4.1.4 |
| froala-editor | npm | >= 4.0.1, <= 4.1.3 | 4.1.4 |
PHPPHPKEV Misses 88% of Exploited CVEs- Get the report