Outline Events API Information Disclosure Vulnerability

A logic flaw has been identified in the events.list API endpoint of Outline, prior to version 1.5.0. This vulnerability allows authenticated users to access activity logs for documents without a collection, such as Private Drafts and Deleted Documents, regardless of their permissions. While the content of these documents is not revealed, sensitive metadata is exposed, including Document IDs, timestamps of user activities, and in some cases, the titles of permanently deleted documents. The exposure of valid Document IDs from deleted drafts undermines the randomness of UUIDs, facilitating high-severity IDOR attacks, like those found in the documents.restore function, by simplifying the exploitation process.

Impact

This vulnerability lowers the complexity of exploiting IDOR attacks on deleted drafts, allowing attackers to easily take over documents by exploiting the exposed Document IDs. It also enables subordinates to monitor the activity of Admins on private drafts, potentially leading to unauthorized access to sensitive information.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the events.list API endpoint without specific filters. The response will include events from documents with a null collectionId, such as Private Drafts and Deleted Documents. This can be done by an Admin deleting a private draft, which will then be permanently removed after being trashed. A regular member can then retrieve the Document ID and title of the deleted draft through the events.list API, exploiting the IDOR vulnerability by restoring the document.

Remediation

Users are advised to update to Outline version 1.5.0 or later, where this vulnerability has been fixed.