HTML Injection in email when deactivate a user

Summary by HubSpot

It was possible for a user to change their name to include HTML. When that user was deactivated, the deactivation email included the HTML in the user's name fields. The issue is fixed.

Summary by mega7

Thanks!
Can we disclose?!

Report details

Submitted

16 Apr 2022 03:42:42 UTC
Target Location

events.hubspot.com
Target category

Other
VRT

Server-Side Injection > Content Spoofing > Email HTML Injection
Priority

P4
Bug URL

Empty
Description
Hello Gents,
- While testing app-eu1.hubspot.com, I found out that users email could be injected with HTML tag via company name!
Steps to reproduce:
1. Please login at https://app-eu1.hubspot.com.
2. Navigate to https://app-eu1.hubspot.com/settings/PORTAL-ID/account-defaults/general.
3. Inject Account name with HTML payload.
4. Now navigate to https://app-eu1.hubspot.com/settings/PORTAL-ID/users.
5. Choose your victim and Deactivate.
6. Check victim email, HTML will be executed.
Proof of concept:
- POC video in { Attachments }
Thanks and have a nice day!

Activity

Ryan_HubSpot Customer published the disclosure report
3 years ago(29 Jul 2022 20:07:48 UTC)
Ryan_HubSpot Customer sent a message
3 years ago(29 Jul 2022 20:04:15 UTC)
mega7 requested disclosure
3 years ago(17 May 2022 19:27:08 UTC)
HubSpot Jira Application OAuth changed the state to Resolved
3 years ago(17 May 2022 15:14:49 UTC)
mega7 sent a message
3 years ago(26 Apr 2022 22:06:03 UTC)
Abdul_hubspot Customer rewarded mega7 $50
3 years ago(26 Apr 2022 21:02:51 UTC)
- Thanks for your submission! We'll get this over to the appropriate team for further review and remediation. Additionally, we're planning to take a closer look at the HTML injection vulnerabilities that are being triggered via email notifications to portal users so this may affect subsequent HTML injection vulnerabilities you submit that follow this same pattern.
Abdul_hubspot Customer changed the state to Unresolved
3 years ago(26 Apr 2022 20:58:18 UTC)
Abdul_hubspot Customer rewarded mega7 5 points
3 years ago(26 Apr 2022 20:58:18 UTC)
mega7 sent a message
3 years ago(22 Apr 2022 00:48:41 UTC)
mehmet_bugcrowd changed the state to Triaged
3 years ago(21 Apr 2022 23:33:08 UTC)
mehmet_bugcrowd sent a message
3 years ago(21 Apr 2022 23:33:02 UTC)
mega7 resolved a blocker for HubSpot by providing information on impact
3 years ago(19 Apr 2022 12:04:14 UTC)
mega7 sent a message
3 years ago(19 Apr 2022 12:04:13 UTC)
mrhacker_bugcrowd created a blocker on the researcher to provide information on impact
3 years ago(19 Apr 2022 09:58:55 UTC)
mrhacker_bugcrowd sent a message
3 years ago(19 Apr 2022 09:58:43 UTC)
mega7 created the submission
3 years ago(16 Apr 2022 03:42:42 UTC)

Summary by HubSpot

Summary by mega7

Report details

Submitted

Target Location

Target category

VRT

Priority

Bug URL

Description

Steps to reproduce:

Proof of concept:

Activity