Outline Stored Cross-Site Scripting Vulnerability via Unvalidated Comment Mentions

A stored cross-site scripting vulnerability has been identified in Outline versions 0.84.0 prior to 1.6.1. The issue arises in the comment section, where users can mention others. The backend fails to properly validate or sanitize the href attribute of these mentions, allowing potentially harmful protocols, such as javascript:, to be introduced. This oversight creates a risk of client-side code execution. The vulnerability has been patched in version 1.7.0.

Impact

Exploitation of this vulnerability allows for the injection of a cross-site scripting payload that is executed in the context of the user's session. This could lead to session hijacking or the leakage of sensitive information stored in the wiki.

Reproduction

To reproduce this vulnerability, log into Outline and create a new draft page. Access the comments section and add a mention of another user, such as '[@example](https://github.com/example) User'. After the comment is posted, open the browser's developer tools and navigate to the Network tab. Look for the 'comments.create' API call and copy it as a fetch request. Edit the request to change the mention type from 'user' to 'url', add a javascript payload in the href property, and ensure the id field is unique. Submit the modified request. A new comment will appear, and clicking the injected link will execute the JavaScript code, indicating successful exploitation.

Remediation

Users can update to Outline version 1.7.0 or later, where this vulnerability has been fixed.