Cross-site Scripting via link creation bypass filter javascript scheme in outline/outline

Valid

Reported on

Jul 21st 2022


Description

The markdown's link creation feature allows inserting paths containing javascript scheme bypass filter javascript scheme via add https scheme prefix, so this flaw lead to XSS vulnerability.

The payload used is the following:

Proof of Concept

image

Step to reproduct

1. Create new document
2. Add link as [xss](javascript:alert``))

PoC Video

https://drive.google.com/file/d/1qlcih2JP_N57KGhfDqbP0E-MmoRTSHlq/view?usp=sharing

Note: If the image quality is low when viewing live, you can download and watch

Impact

An attacker could use this vulnerability to takeover an admin account and get access to all the features of the outline application.

We are processing your report and will contact the outline team within 24 hours. 13 days ago
Nhien.IT modified the report
13 days ago
We have contacted a member of the outline team and are waiting to hear back 12 days ago
Tom Moor validated this vulnerability 11 days ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tom Moor confirmed that a fix has been merged on ef2abf 11 days ago
The fix bounty has been dropped
Nhien.IT
8 days ago

Researcher


Hi @maintainer, can you assign CVE id for this vulnerability? if possible hope @admin will help!

Jamie Slome
8 days ago

Admin


Happy to assign a CVE if the maintainer is happy to proceed with one 👍

to join this conversation