Bug Bounty

ZOHO Mail is a business mail that includes integrated calendar, contacts, notes, and tasks apps. Initially I was looking for a stored XSS in the webmail, but I did not find it so I started checking the other services. I wondered if it was possible to inject malicious code via attachments in ZOHO Notes. By attaching a local file it wasn’t, but in ZOHO Notes you can attach files from some cloud services: Google Drive, Dropbox, Box and Evernote....

This is my first public disclosure on HackerOne. It is a partial disclosure, but the summary is clear: there was a stored XSS in the image preview feature via crafted attachment filename. #275274 - touch.mail.ru/messages - Stored XSS 07/10/2017 - I send the report 11/10/2017 - The vulnerability is fixed and the bug bounty reward is 750$ 27/12/2017 - Public disclosure