CVE-2019-19935 - DOM based XSS in the froala editor

## Summary: A stored XSS flow exist in the froala editor used in the web application. This can be trigger by using the code view of the editor ## Steps To Reproduce: 1. Start a new campaign 2. fill all the fieds and choose blank email template for the message 3. Switch to code editor view and inject `<iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe>` {F919075} 4. Switch back to the normal editor view and the XSS will be trigger {F919076} See attachements. ## Supporting Material/References: Heavly inspired by the following article: [https://blog.compass-security.com/2020/07/yet-another-froala-0-day-xss/](https://blog.compass-security.com/2020/07/yet-another-froala-0-day-xss/) # Remediation: Unfortunately the froala editor did not provide correction for this bug yet but publish an advisory: [https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2020-004_DOM_XSS_in_Froala_WYSIWYG_HTML_Editor.txt](https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2020-004_DOM_XSS_in_Froala_WYSIWYG_HTML_Editor.txt) ## Impact This issue can lead to cookie stealing, creating fake form by including an iframe, DOM rewriting and so on.