resolved
Stored XSS in Email Notifcation
Bug reported by khaled Saad was disclosed at September 19, 2025, 6:37 am | Cross-site Scripting (XSS) - Stored
A stored XSS vulnerability was discovered in the email notification feature of the crm.na1.insightly.com platform. The vulnerability allowed an attacker to inject malicious code into the email subject, which was then executed when users viewed the notification. The vulnerability was caused by insufficient input sanitization.
resolved
CSRF vulnerability allows disabling Gmail contacts link for user referrals
Bug reported by khaled Saad was disclosed at September 19, 2025, 6:36 am | Cross-Site Request Forgery (CSRF)
The CSRF vulnerability allowed users to disable Gmail contacts link for user referrals. The vulnerable endpoint did not sufficiently verify that the requests were intentionally performed by the user, allowing an attacker to generate a PoC that could be used to disable the victim's linked account.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
