Summary

The outlook web app service is a mail service provided by Microsoft. A researcher named Max discovered a Copy and Paste XSS vulnerability in the web service in 2021.

However, I was able to bypass that patch using the <template> tag. Yea this was a simple Sanitizer bypass where I could inject an <iframe>, <script> tag.

Timeline (KST)

• 2022-03-15 15h 00m : Reported this issue via the msrc
• 2022-03-15 01h 37m : Status changed to New
• 2022-03-17 06h 27m : Status changed from New to Review / Repro
• 2022-04-09 08h 33m : Status changed from Review / Repro to Develop
• 2022-04-26 02h 26m : Status changed from Develop to Pre-Release
• 2022-05-21 07h 02m : Status changed from Pre-Release to Complete

Reference

• Report