GRR Rapid Response

GRR Rapid Response is an incident response framework focused on remote live forensics. GRR consists of an agent client that can be deployed to a target system, and server infrastructure that can manage and talk to the agent. Client Features: Cross-platform support for Linux, OS X and Windows...

Arbitrary Command Execution

Overview Affected versions of this package are vulnerable to Arbitrary Command Execution due to the assignment functions accessing constructors functions, allowing attackers to execute their malicious code. Remediation Upgrade angularjs to version 1.3.2 or higher. References - GitHub ChangeLog -...

Unsafe Object Deserialization

Overview Affected versions of this package are vulnerable to Unsafe Object Deserialization. POC The exploitable code: js hasOwnProperty.constructor.prototype.valueOf = valueOf.call; "a", "alert1".sorthasOwnProperty.constructor; The exploit: - 1. Array.sort takes a comparison function and passes i...

Square: Reflected XSS in connect.square.com

Hi! The page at https://connect.squareup.com/sessions/new doesn't properly sanitize the "email" parameter and/or the input field for email. Since the site is built with AngularJS and the email field is a binded field child of ng-app, we can inject an AngularJS template. Normally, you aren't...

Square: CRITICAL Account takeover via AngularJS template injection in connect.squareup.com

Hi! The OAUTH prompt at https://connect.squareup.com/oauth2/authorize?clientid=EXAMPLE prints out the current OAUTH appname without sanitizing it from -style AngularJS templates. This makes it possible for an attacker to add an AngularJS template to his/her appname that calls the $scope.allow...

Arbitrary Code Execution

Overview Affected versions of this package are vulnerable to Arbitrary Code Execution. $parse allowed arbitrary code execution via Angular expressions under some very specific conditions. The only applications affected by these vulnerabilities are those that match all of the following conditions:...

Protection Bypass

Overview Affected versions of this package are vulnerable to Protection Bypass via ng-attr-action and ng-attr-srcdoc allowing binding to Javascript. The fix was to require bindings to formaction to be $sce.RESOURCEURL and bindings to iframesrcdoc to be $sce.HTML Remediation Upgrade angularjs to...

Arbitrary Script Injection

Overview AngularJS.Core is an AngularJS. package for other Angular modules within .NET. Affected versions of this package are vulnerable to Arbitrary Script Injection due to improper sanitization of the $event object passed to the native constructor functions. That isn't protected by the fast pat...

Arbitrary Script Injection

Overview Affected versions of this package are vulnerable to Arbitrary Script Injection due to improper sanitization of the $event object passed to the native constructor functions. That isn't protected by the fast paths in $parse. Remediation Upgrade angularjs to version 1.1.5 or higher...

Cross-site Scripting (XSS)

Overview angularjs is a Affected versions of this package are vulnerable to Cross-site Scripting XSS. Concatenating expressions makes it hard to reason about whether some combination of concatenated values are unsafe to use and could easily lead to XSS. By requiring that a single expression be us...

Cross-site Scripting (XSS)

Overview AngularJS.Core is a AngularJS. package for other Angular modules within .NET. Affected versions of this package are vulnerable to Cross-site Scripting XSS. Concatenating expressions makes it hard to reason about whether some combination of concatenated values are unsafe to use and could...

Cross-site Scripting (XSS)

Overview angularjs is a Affected versions of this package are vulnerable to Cross-site Scripting XSS. DOM event handlers await events to occur e.g. onclick, onkeypress, etc and execute arbitrary Javascript code in accordance to the event. By default, interpolations inside DOM event handlers are...