A stored XSS flow exist in the froala editor used in the web application.
This can be trigger by using the code view of the editor
Start a new campaign
fill all the fieds and choose blank email template for the message
Switch to code editor view and inject <iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe>
{F919075}
Switch back to the normal editor view and the XSS will be trigger
{F919076}
See attachements.
Heavly inspired by the following article:
https://blog.compass-security.com/2020/07/yet-another-froala-0-day-xss/
Unfortunately the froala editor did not provide correction for this bug yet but publish an advisory:
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2020-004_DOM_XSS_in_Froala_WYSIWYG_HTML_Editor.txt
This issue can lead to cookie stealing, creating fake form by including an iframe, DOM rewriting and so on.