Hiperlink injection in email in outline/outline


Reported on

Jul 2nd 2022


Hiperlink injection in email


There is no character length limit in user fullname . So, user can set fullname to large number character and also can put link url .


1. goto admin account profile and change fullname to bellow

Hi, You have been invited to getoutline . If you are  existing user then login to http://attacker.com/?login=true .
If not then goto http://attacker.com/?invite=true&id=xyz  and setup with your account.Then  login with your new password . Ignore this mail if already done .

2. Now invite a user called user-B as viewer role . Now user-B received a mail like bellow .


Here user-B think its a real email and its from outline .so, victim will trust it and victim will login or signup into attacker site.
Then attacker get the victim password or some other token .

I see getoutline does not have password authentication . But attacker can steal other type token or mislead the users.

My suggestion is to limit the fullname character limit and dont allow hiperlink in fullname


here is few hackerone report similar to it https://hackerone.com/reports/950180


hyperlink injection in fullname allow to confuse user and steal victim password

We are processing your report and will contact the outline team within 24 hours. a year ago
ranjit-git modified the report
a year ago
Tom Moor modified the Severity from Medium to Low a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Tom Moor validated this vulnerability a year ago

Valid, however attack potential is limited as we do not have user passwords.

ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tom Moor marked this as fixed in 0.64.3 with commit 8ebe4b a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Profile.tsx#L20-L169 has been validated
users.test.ts#L11-L126 has been validated
AuthStore.ts#L24-L280 has been validated
users.ts#L33-L356 has been validated
users.test.ts#L136-L650 has been validated
to join this conversation