Summary:

A stored XSS flow exist in the froala editor used in the web application.

This can be trigger by using the code view of the editor

Steps To Reproduce:

1. Start a new campaign

2. fill all the fieds and choose blank email template for the message

3. Switch to code editor view and inject <iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe>
   {F919075}

4. Switch back to the normal editor view and the XSS will be trigger

{F919076}

See attachements.

Supporting Material/References:

Heavly inspired by the following article:
https://blog.compass-security.com/2020/07/yet-another-froala-0-day-xss/

Remediation:

Unfortunately the froala editor did not provide correction for this bug yet but publish an advisory:
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2020-004_DOM_XSS_in_Froala_WYSIWYG_HTML_Editor.txt

Impact

This issue can lead to cookie stealing, creating fake form by including an iframe, DOM rewriting and so on.