Summary
Outerbase Studio: Stored XSS in Text Widget Leads to Authentication Token Exposure
Advisory details
Summary
A Stored Cross-Site Scripting (XSS) issue previously existed in the Text Widget in Board of Outerbase Studio where unsanitized HTML could be rendered using dangerouslySetInnerHTML
Steps to Reproduce
- Create a new dashboard.
- Add a Text widget.
- Insert the following payload:
<img src=x onerror="alert('XSS Executed\nToken: ' + localStorage.getItem('ob-token'))">
Architectural Context
Outerbase Cloud and its backend services were discontinued in 2025.
The current version of Outerbase Studio operates purely as a client-side application, with dashboard data stored locally in the browser.
Impact
In the current architecture, the impact is limited to local self-XSS within a user's browser session. The previously described scenarios involving:
- authentication token theft
- account takeover
- database access
are no longer applicable since there are no active backend services or authentication tokens.
Remediation
The unsafe HTML rendering in the Text Widget has been removed in commit https://github.com/outerbase/studio/commit/b06fb85e5967440278d5a815721b360920566ab9 by eliminating the use of dangerouslySetInnerHTML.
References
Related vulnerabilities
All Supply chain →- HIGHCVE-2026-52798
Gogs has Stored XSS in `.ipynb` Preview
- MEDIUMGHSA-hvqh-jw65-wcpq
devbridge-autocomplete has XSS in its default formatters: formatGroup and formatResult fail to escape HTML in untrusted inputs
- CRITICALCVE-2026-44203
OpenAM has pre-auth Reflected XSS in OAuth2 / OIDC response_mode=form_post via state parameter (FormPostResponse.ftl)
- HIGHGHSA-x975-rgx4-5fh4
appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)
- MEDIUMCVE-2026-55877
symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses
- HIGHCVE-2026-55692
StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled