Description

JSFiddle, Gliffy, Otter and Tldraw embeds lack sufficient input validation. Every one of them can be abused to achieve a stored XSS on a main application domain. This XSS triggers for everyone viewing the document.

Proof of Concept

PoC file is different for each vulnerable embed. See PoCs in Occurrences section

Steps to reproduce

• Save PoC content to a file
• Upload this file to Outline via import document

XSS triggers for everyone viewing this document

Technical details

These vulnerabilities are possible due to a combination of two factors:

1. RegExps are missing ^ at the beginning.
2. Components use props.attrs.href as src for resulting iframe

For example, a line

javascript:...//https://jsfiddle.net/a/b

would be processed by JSFiddle embed and result in

<iframe src="javascript:...//https://jsfiddle.net/a/b" ... >

which leads to payload being executed in the context of the main domain.

Mitigation recommendations

• Add ^ in the beginning of the RegExps
• Do not reflect props.attrs.href in the responses

Impact

Anyone with permissions to create new documents is able to run arbitrary javascript code in other users' browsers within application's main domain.

Attacker is able to do everything a victim has rights to do within the app. The most straightforward way to abuse it would be to:

• Steal victim's users session
• Issue a new API token for victim and exfiltrate it

If attacker has Editor role, this XSS could be used against a user with administrative permissions to escalate to the Admin role.