Leonardo-Doyensec

**Name of the Vulnerable Software and Affected Versions** Outline versions 0.84.0 through 1.6.1 **Description** The comment section allows users to mention other users, but the backend fails to validate or sanitize the `href` attribute associated with these mentions. This allows the use of dangerous protocols, such as `javascript:`, which can lead to client-side code execution via Cross-Site Scripting (XSS), a technique where malicious scripts are injected into trusted websites. **Recommendations** Update to version 1.7.0.