Summary by HubSpot
It was possible for a user to change their name to include HTML. When that user was deactivated, the deactivation email included the HTML in the user's name fields. The issue is fixed.
HTML Injection in email when deactivate a user
Disclosed by mega7- Program HubSpot
- Disclosed date over 1 year ago
- Reward $50
- Priority P4 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Summary by mega7
Thanks!
Can we disclose?!
Report details
-
Submitted
-
Target Location
*.hubspot.com -
Target category
Other
-
VRT
Server-Side Injection > Content Spoofing > Email HTML Injection -
Priority
P4 -
Bug URL
Empty -
Description
Hello Gents,
- While testing
app-eu1.hubspot.com, I found out that users email could be injected with HTML tag via company name!
Steps to reproduce:
- Please login at https://app-eu1.hubspot.com.
- Navigate to https://app-eu1.hubspot.com/settings/PORTAL-ID/account-defaults/general.
- Inject Account name with HTML payload.
- Now navigate to https://app-eu1.hubspot.com/settings/PORTAL-ID/users.
- Choose your victim and Deactivate.
- Check victim email, HTML will be executed.
Proof of concept:
- POC video in { Attachments }
Thanks and have a nice day!
- While testing