XSS Sanitizer flaw in outlook.live.com


The outlook web app service is a mail service provided by Microsoft. A researcher named Max discovered a Copy and Paste XSS vulnerability in the web service in 2021.

However, I was able to bypass that patch using the <template> tag. Yea this was a simple Sanitizer bypass where I could inject an <iframe>, <script> tag.

Timeline (KST)

  • 2022-03-15 15h 00m : Reported this issue via the msrc
  • 2022-03-15 01h 37m : Status changed to New
  • 2022-03-17 06h 27m : Status changed from New to Review / Repro
  • 2022-04-09 08h 33m : Status changed from Review / Repro to Develop
  • 2022-04-26 02h 26m : Status changed from Develop to Pre-Release
  • 2022-05-21 07h 02m : Status changed from Pre-Release to Complete