Summary by HubSpot
It was possible for a user to change their name to include HTML. When that user's calendar was disconnected, the notification email included the HTML in the user's name fields. The issue is fixed.
- Engagement HubSpot
- Disclosed date over 2 years ago
- Reward $50
- Priority P4 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Summary by mega7
Can we disclose?!
Report details
-
Submitted
-
Target Location
events.hubspot.com -
Target category
Other
-
VRT
Server-Side Injection > Content Spoofing > Email HTML Injection -
Priority
P4 -
Bug URL
https://meetings-eu1.hubspot.com/MEETING -
Description
Hello Gents,
- While testing Hubspot, I found that meeting owner email could be injected with HTML code.
Steps to reproduce:
- Please login at https://app-eu1.hubspot.com.
- Navigate to https://app-eu1.hubspot.com/meetings/PORTAL-ID.
- Copy the meeting link and share it with the customers.
- As an attacker, request a new meeting.
- Inject First name and Last name with HTML tags.
- Owner will receive this malicious mail.
Proof of concept:
- POC video in { Attachments }
Activity
- Ryan_HubSpot Customer published the disclosure report
- mega7 requested disclosure
- HubSpot Jira Application OAuth changed the state to Resolved
- alex_hubspot Customer changed the state to Unresolved
- alex_hubspot Customer rewarded mega7 5 points
- alex_hubspot Customer rewarded mega7 $50
- alex_hubspot Customer sent a message
- mega7 sent a message
- mrhacker_bugcrowd changed the state to Triaged
- mrhacker_bugcrowd sent a message
- mega7 created the submission
