Hiperlink injection in email in outline/outline

Valid

Reported on

Jul 2nd 2022


BUG

Hiperlink injection in email

SUMMURY

There is no character length limit in user fullname . So, user can set fullname to large number character and also can put link url .

DETAILS

1. goto admin account profile and change fullname to bellow

Hi, You have been invited to getoutline . If you are  existing user then login to http://attacker.com/?login=true .
If not then goto http://attacker.com/?invite=true&id=xyz  and setup with your account.Then  login with your new password . Ignore this mail if already done .

2. Now invite a user called user-B as viewer role . Now user-B received a mail like bellow .

dd

Here user-B think its a real email and its from outline .so, victim will trust it and victim will login or signup into attacker site.
Then attacker get the victim password or some other token .

I see getoutline does not have password authentication . But attacker can steal other type token or mislead the users.

My suggestion is to limit the fullname character limit and dont allow hiperlink in fullname

REFERENCES

here is few hackerone report similar to it https://hackerone.com/reports/950180
https://hackerone.com/reports/864751
https://hackerone.com/reports/843421
https://hackerone.com/reports/164833
https://hackerone.com/reports/158554

Impact

hyperlink injection in fullname allow to confuse user and steal victim password

We are processing your report and will contact the outline team within 24 hours. a month ago
ranjit-git modified the report
a month ago
Tom Moor modified the Severity from Medium to Low a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Tom Moor validated this vulnerability a month ago

Valid, however attack potential is limited as we do not have user passwords.

ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tom Moor confirmed that a fix has been merged on 8ebe4b a month ago
The fix bounty has been dropped
Profile.tsx#L20-L169 has been validated
users.test.ts#L11-L126 has been validated
AuthStore.ts#L24-L280 has been validated
users.ts#L33-L356 has been validated
users.test.ts#L136-L650 has been validated
to join this conversation