KuCoin Disclosed Report

Bug bounty report KuCoin

Email HTML Injection

Company
Created date
Apr 12 2024

Target

*.kucoin.com

Vulnerability Details

Dear kucoin Security Team, I am writing to bring to your attention a potential security vulnerability that I have identified involving HTML/CSS injection on the page https://hackenproof.com/redirect?url=https://kucoin.zendesk.com/hc/en-us/requests/new. Upon thorough examination, it has come to my attention that this vulnerability allows for the injection of HTML/CSS tags, presenting a risk of unauthorized actions being carried out by malicious actors.

I understand that support.kucoin.com is considered out of scope, but I reported it because it affects the entire company, not just the domain. The use of company email to send malicious code has an impact on the reputation of the entire company.

Validation steps

Steps to Reproduce:

Your Account has been suspended you should change your password From Here <a href=https://evil.com>change password</a>
  • Forward the modified request.
  • You will receive a message stating: "AUTOMATED Welcome MESSAGE".

Your request (3877760) has been updated. If you need to add additional comments, reply to this email.

  • Observe that the malicious content is sent to victim email After Any Comments From Victim OR Admin.

CommentsReport History
Comments on this report are hidden
Details
Statedisclosed
Severity
None
Bounty
hidden
Visibilitypartially
VulnerabilityEmail HTML Injection
Participants (2)
manager
author