Stored XSS via image markdown in outline/outline

Valid

Reported on

Aug 4th 2022


Description

The site allows creating markdown to get an image from a link, from which we can use it to generate XSS.

Proof of Concept

Payload:

![abc](data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIG9ubG9hZD0iYWxlcnQoJ1hTUycpIi8+)

Video: Youtube

Only works on Google Chrome

Impact

Stored XSS

We are processing your report and will contact the outline team within 24 hours. 2 months ago
Nguyen Cong Vinh modified the report
2 months ago
Nguyen Cong Vinh modified the report
2 months ago
We have contacted a member of the outline team and are waiting to hear back 2 months ago
Nguyen Cong Vinh modified the report
2 months ago
Nguyen Cong Vinh modified the report
2 months ago
Tom Moor
2 months ago

Maintainer


Hey, can you prove exfiltration of data with this? Just executing javascript inside a data: url context doesn't really have any security implications that I'm aware of – the browsers sandbox origin and cookie access for exactly this reason.

Nguyen
2 months ago

Researcher


Sorry, looks like I'm ignoring that, it can't seem to access origin or cookies. But XSS has many other impact, not only in terms of security. Example: Run malicious scripts, attack users (get IP address, hack webcam...) Navigate to malicious websites, or fake websites. ...etc.

Its severity should be medium or low.

Nguyen
2 months ago

Researcher


I see you use markdown-it in your repo. The markdown-it Security Policy also prohibits some kind of links could be used for XSS, including data: Security Policy

Nguyen Cong Vinh modified the report
2 months ago
We have sent a follow up to the outline team. We will try again in 7 days. a month ago
Tom Moor
a month ago

Maintainer


Would accept as Low, I think it should be fixed but you've not really proven any security impact from it of note.

Nguyen Cong Vinh modified the report
a month ago
Nguyen
a month ago

Researcher


I thought so too, and I changed Attack Complexity to High because to attack it requires harsher conditions.

Tom Moor validated this vulnerability a month ago
Nguyen Cong Vinh has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tom Moor confirmed that a fix has been merged on e5c5e8 a month ago
The fix bounty has been dropped
to join this conversation