Outline IDOR Vulnerability in Document Restoration Logic Allows Unauthorized Access and Ownership Hijacking

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in Outline versions prior to 1.4.0. This vulnerability allows team members to unauthorizedly restore, view, and take ownership of deleted drafts belonging to other users, including administrators. The issue arises from a failure to enforce proper ownership validation during the document restoration process, enabling attackers to access sensitive information and disrupt the original owner's access to their content.

Impact

Exploitation of this vulnerability allows unauthorized users to access and read private draft content, take ownership of deleted documents, and permanently deny the original owners access to their own drafts.

Reproduction

To reproduce this vulnerability, a team member must obtain the UUID of a deleted draft, which can be accessed through an existing information disclosure vulnerability. Once the UUID is acquired, the attacker can use their session token to bypass ownership checks and restore the draft to a collection they control, effectively hijacking the document.

Remediation

Users are advised to update to Outline version 1.4.0 or later, where this vulnerability has been fixed.