Stored XSS Vulnerability in Outline Document Editor
CVE-2024-40626

Currently unrated

Key Information:

Vendor: Outline
Status: Outline
Vendor: CVE Published:; 16 July 2024

What is CVE-2024-40626?

A stored XSS vulnerability has been identified in Outline, an open-source collaborative document editor. This issue arises from a type confusion flaw in ProseMirror’s rendering process, enabling an authenticated user to inject malicious JavaScript into a document. When other users open this document, the payload executes within Outline's origin. Although Outline employs Content Security Policy (CSP) rules to limit third-party code execution, self-hosting configurations with file storage on the same domain can bypass these protections, allowing harmful payloads to be uploaded as attachments. Users are strongly encouraged to upgrade to version 0.77.3, as there are currently no workarounds available.

References

https://github.com/outline/outline/security/advisories/GH...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 16, 2024

CVE-2024-40626 Data

JSON