HTML Injection in meeting owner email

Disclosed by
mega7
  • Program HubSpot
  • Disclosed date over 1 year ago
  • Reward $50
  • Priority P4 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by HubSpot

It was possible for a user to change their name to include HTML. When that user's calendar was disconnected, the notification email included the HTML in the user's name fields. The issue is fixed.

Summary by mega7

Can we disclose?!

Report details

  • Submitted

  • Target Location

    *.hubspot.com

  • Target category

    Other

  • VRT

    Server-Side Injection > Content Spoofing > Email HTML Injection

  • Priority

    P4
  • Bug URL
    https://meetings-eu1.hubspot.com/MEETING
  • Description

    Hello Gents,

    • While testing Hubspot, I found that meeting owner email could be injected with HTML code.

    Steps to reproduce:

    1. Please login at https://app-eu1.hubspot.com.
    2. Navigate to https://app-eu1.hubspot.com/meetings/PORTAL-ID.
    3. Copy the meeting link and share it with the customers.
    4. As an attacker, request a new meeting.
    5. Inject First name and Last name with HTML tags.
    6. Owner will receive this malicious mail.

    Proof of concept:

    • POC video in { Attachments } Screenshot%20from%202022-04-16%2003-38-00.png
Activity