Cross-site Scripting via link creation bypass filter javascript scheme in outline/outline

Valid

Reported on

Jul 21st 2022

Description

The markdown's link creation feature allows inserting paths containing javascript scheme bypass filter javascript scheme via add https scheme prefix, so this flaw lead to XSS vulnerability.

The payload used is the following:

Proof of Concept

image

Step to reproduct

1. Create new document
2. Add link as [xss](javascript:alert``))

PoC Video

https://drive.google.com/file/d/1qlcih2JP_N57KGhfDqbP0E-MmoRTSHlq/view?usp=sharing

Note: If the image quality is low when viewing live, you can download and watch

Impact

An attacker could use this vulnerability to takeover an admin account and get access to all the features of the outline application.

We are processing your report and will contact the outline team within 24 hours. a year ago
Nhien.IT modified the report
a year ago
We have contacted a member of the outline team and are waiting to hear back a year ago
Tom Moor validated this vulnerability a year ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tom Moor marked this as fixed in 0.66.0 with commit ef2abf a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Nhien.IT
a year ago

Researcher

Hi @maintainer, can you assign CVE id for this vulnerability? if possible hope @admin will help!

Jamie Slome
a year ago

Admin

Happy to assign a CVE if the maintainer is happy to proceed with one 👍

to join this conversation