Reflected XSS and Server Side Template Injection in all HubSpot CMSes
State Resolved (Closed)
Disclosed publicly 2018-09-11T16:27:49.487Z
Reported To
Weakness none
Summary by m7mdharoun

While I was trying to catch a bug in @inflection Program I started to test It was in Scope But I didn't see it was have a Hubspot CMS After many time of testing I've found a Small Potential Server Side Template Injection
Then by some help from @fransrosen he helped me to break the elements and get a reflected XSS

The dork of Google was ( inurl:/_hcms/)

More than 1000 Websites Uses HubSpot was affected

Some affected Websites :

It was great to see the HubSpot team resolve this issue within 24 hours of knowing that there was a problem!

submitted a report to HubSpot .

Really I don't know why BugCrowd team closed my submission as N/A

They mentioned that Not in Scope ?!

So I reported it again in another submission But this Time I messaged the Security Company Directly and triaged and Fixed in 2 Days` .

Full Poc :

I was found in this path /_hcms/cta so this mean that controlled by Hubspot service ..

The affected Parameter was ?referrerUrl=

First Possible Server Side template injection :

Server-side template injection occurs when user-controlled input is embedded into a server-side template, allowing users to inject template directives. This allows an attacker to inject malicious template directives and possibly execute arbitrary code on the affected server.

URL encoded GET input referrerUrl was set to {{7*7}}

The response contained the result of the evaluated expression: 49
I tried to exploit it by jinja Injection But I failed I got
Malformed escape pair at index 78:,2,3%5D%20%%7D%7B%7Bc,c,c%7D%7D%7B%%20endfor%20%%7D
Illegal character in query at index 81:

Now Reflected XSS

@fransrosen was able to Break out the element By this Payload

Poc example :<b>ok</b>{%25+endmacro+%25}{{+field(1)%7curlize+}}

XSS Payload was Awesome :)


Report Status : 22/1/2018
HubSpot_Security changed the priority to P2
HubSpot_Security rewarded 20 points to you
HubSpot_Security changed the state to Resolved 23/1/2018


m7mdharoun Activities::BugResolved

m7mdharoun Activities::ReportBecamePublic

m7mdharoun Activities::ReportSeverityUpdated