Reflected XSS + Possible Server Side Template Injection in HubSpot CMS ( All Websites Uses HubSpot was affected )

Reflected XSS + Possible Server Side Template Injection  in HubSpot CMS 

( more than 1000 Websites Uses HubSpot was affected )

It was first good bug while I was testing for bugs in a website I found this Path /_hcms/ so this mean that controlled by Hubspot service ..

I was found in this path /_hcms/cta

The affected Parameter was ?referrerUrl=

First Possible Server Side template injection : 

Server-side template injection occurs when user-controlled input is embedded into a server-side template, allowing users to inject template directives. This allows an attacker to inject malicious template directives and possibly execute arbitrary code on the affected server.

URL encoded GET input referrerUrl was set to {{7*7}}

The response contained the result of the evaluated expression: 49
I tried to exploit it by jinja  Injection But I failed  
I got 

 Illegal character in query at index 81:

Now Great XSS

By help from Frans Rosén He could Break out the element 

By this Payload 

Example : 

Then The XSS Payload was Coool 


Some affected Websites :

And more than 1000+ Websites 

Report Status : 22/1/2018

HubSpot_Security changed the priority to P2
HubSpot_Security rewarded 20 points to you
HubSpot_Security changed the state to Resolved 


Post a Comment