CVE-2024-40626

Name of the Vulnerable Software and Affected Versions Outline versions prior to 0.77.3

Description A type confusion issue in ProseMirror's rendering process leads to a Stored Cross-Site Scripting (XSS) issue. An authenticated user can create a document with a malicious JavaScript payload, which can execute when other users view the document. The issue can bypass Content Security Policy (CSP) restrictions in self-hosted environments with file storage on the same domain.

Recommendations For versions prior to 0.77.3, upgrade to release version 0.77.3 to address the issue.