CVE-2020-22864

Vulnerability

The Froala WYSIWYG Editor version 3.1.0 contains a cross-site scripting (XSS) vulnerability in the Insert Video function. The editor fails to sanitize user-supplied input for the video URL, allowing an attacker to inject arbitrary HTML or JavaScript code that is executed when the video is rendered. This issue affects the video.min.js plugin as documented in the related pull requests [1][4].

Exploitation

An authenticated user with access to the editor can craft a malicious video URL containing script payloads. When the victim inserts the video via the editor's 'Insert Video' dialog, the unsanitized URL is embedded into the page and executed in the context of the victim's browser session. No additional privileges or complex conditions are required beyond the ability to use the editor's video insertion feature [1][4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript or HTML in the context of the victim's browser, leading to potential session hijacking, data theft, defacement, or other malicious actions. The impact is limited by the scope of the editor's usage, but can affect any user viewing content that includes the malicious video element [3].

Mitigation

A fix was proposed in pull requests [1] and [4] and is included in versions after 3.1.0. The official repository has been updated; users should upgrade to the latest version of Froala WYSIWYG Editor. As of the publication date of this CVE, no standalone patch or workaround has been published other than upgrading to a patched release [1][3].