VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 7, 2020· Updated Aug 5, 2024

CVE-2019-19935

CVE-2019-19935

Description

Froala Editor before 3.2.3 is vulnerable to DOM-based XSS via the attribute, allowing arbitrary JavaScript execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Froala Editor before 3.2.3 is vulnerable to DOM-based XSS via the attribute, allowing arbitrary JavaScript execution.

CVE-2019-19935 describes a DOM-based cross-site scripting (XSS) vulnerability in the Froala WYSIWYG HTML Editor prior to version 3.2.3. The root cause is insufficient sanitization of HTML input; specifically, the editor does not filter the ` element with the srcdoc` attribute, allowing injection of arbitrary HTML and JavaScript [2].

An attacker can exploit this vulnerability by inserting a payload such as <iframe srcdoc=""> into the editor's code view. While this is typically a self-XSS (the user attacks themselves), it becomes exploitable if untrusted data from an external source is loaded into the editor, enabling an attacker to execute malicious scripts in the context of the victim's session [2].

Successful exploitation results in arbitrary JavaScript execution with the privileges of the current user, potentially leading to data theft, session hijacking, or other malicious actions depending on the application's use of the editor [2].

The vulnerability has been resolved in Froala Editor version 3.2.3. Users are strongly advised to update to the latest version [1].

References
  1. Changelog
  2. Yet Another Froala 0-Day XSS – Compass Security Blog

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
froala-editornpm
< 3.2.33.2.3

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The Froala Editor does not correctly sanitize HTML code when it is inserted into the DOM, allowing for cross-site scripting."

Attack vector

An attacker can inject an iframe tag with the srcdoc attribute containing malicious JavaScript, such as an image tag with an onerror event handler. This payload can be inserted into the editor's 'Code View'. When the editor renders this content, the JavaScript within the srcdoc attribute executes in the context of the victim's session [ref_id=1]. This vulnerability is DOM-based, meaning the malicious script is executed by the browser after the page has been loaded and processed [ref_id=1].

Affected code

The vulnerability lies within the Froala WYSIWYG HTML Editor's sanitization logic. Specifically, it fails to properly handle the iframe tag when used with the srcdoc attribute. This allows for the insertion of arbitrary HTML and JavaScript, which is then rendered by the browser, leading to DOM-based XSS [ref_id=1].

What the fix does

The vulnerability was fixed in version 3.2.3 of the Froala Editor. The patch addresses the improper neutralization of input by ensuring that potentially malicious HTML code, specifically the iframe tag with the srcdoc attribute, is correctly sanitized before being rendered into the DOM. This prevents the execution of arbitrary JavaScript code within the user's session [ref_id=1].

Preconditions

  • inputThe attacker must be able to control the content inserted into the Froala editor. This could be through direct input or by injecting data from a non-controlled source into the editor.

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.