CVE-2021-30109

CVE-2021-30109 describes a persistent cross-site scripting (XSS) vulnerability in Froala WYSIWYG Editor version 3.2.6. The root cause is insufficient sanitization of user-supplied input within the hyperlink creation module, which allows an attacker to inject arbitrary JavaScript code by crafting a base64-encoded string [2][4].

To exploit this vulnerability, an attacker must be able to supply content to the editor—typically through a web application that embeds Froala Editor and accepts user input. The crafted base64 string, when processed by the hyperlink module, bypasses output encoding and is stored persistently. No special network position or additional authentication is required beyond normal user access to the editor [2][4].

Successful exploitation results in stored XSS, meaning the malicious script executes every time the affected content is viewed. This can lead to session hijacking, credential theft, defacement, or unauthorized actions performed on behalf of the victim user [2].

As of the published advisory, no official patch is available; the vendor may have addressed the issue in later versions [2][4]. Users are advised to upgrade to a version beyond 3.2.6 and to review the vendor's release notes for a fix.