Angular-CLI Authentication Bypass

Vulnerability summary The following advisory describes an athentication bypass vulnerability found in Angular-CLI version 1.3.2 The Angular CLI makes “it easy to create an application that already works, right out of the box. It already follows our best practices!” Credit An independent security...

IdentityServer3 authorize response page cross-site scripting vulnerability

IdentityServer3 is a .NET-based access control plug-in for Web applications. A cross-site scripting vulnerability in the Angular expression of the IdentityServer3 authorize response page allows remote attackers to exploit the vulnerability to inject malicious script or HTML code, which can be use...

CVE-2017-12677

IdentityServer3 2.4.x, 2.5.x, and 2.6.x before 2.6.1 has XSS in an Angular expression on the authorize response page, which might allow remote attackers to obtain sensitive information about the IdentityServer authorization response...

CVE-2017-12677

IdentityServer3 2.4.x, 2.5.x, and 2.6.x before 2.6.1 has XSS in an Angular expression on the authorize response page, which might allow remote attackers to obtain sensitive information about the IdentityServer authorization response...

CVE-2017-12677

IdentityServer3 versions 2.4.x, 2.5.x, and 2.6.x prior to 2.6.1 are affected by a cross-site scripting (XSS) vulnerability on the authorize response page due to an Angular expression. This could allow remote attackers to obtain sensitive information about the IdentityServer authorization response...

WordPress: [mercantile.wordpress.org] Reflected XSS

@zeeshan found a bypass for 230234. Payload used : constructor.constructor'alertdocument.domain' URL to trigger XSS : https://mercantile.wordpress.org/?s=%26%23123%3B%26%23123%3Bconstructor.constructor%28%27alert%28document.domain%29%27%29%28%29%7D%7D&posttype=product ----- Soon after another XSS...

WordPress: Stored self-XSS in mercantile.wordpress.org checkout

Hello Team, Summary after i read this 221893 report, i try to find more security issue there, and i was surprise i found an RCE Via Template Injection. Since on that report i see ng-bindable word, its possible the site also effect by RCE. Step To Reproduce 1. open https://mercantile.wordpress.org...

XSS via Angular Expression

Overview Affected versions of ag-grid are vulnerable to Cross-site Scripting XSS via Angular Expressions, if used in combination with AngularJS. Recommendation Avoid using ag-grid in combination with AngularJS until a fix is available. References - Issue 1287 -...

Cross-site Scripting (XSS)

angular is vulnerable to cross-site scripting XSS attacks. The vulnerability exists because it does not sanitize URI values in the imgsrcset...

Cross-Site Scripting (XSS) Via Sandbox Escaping

angular is vulnerable to cross-site scripting attacks. A malicious user can inject arbitrary javascript by executing angular expressions with sandbox escape characters in them. Starting from version 1.6 onwards, the sandbox feature has been removed from angular. To mitigate this issue, developers...

Rockstar Games: [IMP] - Blind XSS in the admin panel for reviewing comments

@anshumanbh discovered that it is possible to exploit a Blind XSS vulnerability under the "MOUTHOFF TO ROCKSTAR" section while providing feedback. The result is a XSS vulnerability being exploited on an internal Rockstar Games domain. The way this worked was that an attacker would submit a...

Content Security Policy (CSP) Bypass

Overview Affected versions of this package are vulnerable to Content Security Policy CSP Bypass. Extension URIs resource://... bypass Content-Security-Policy in Chrome and Firefox and can always be loaded. Now if a site already has a XSS bug, and uses CSP to protect itself, but the user has an...

UBUNTU-CVE-2016-4428

Cross-site scripting XSS vulnerability in OpenStack Dashboard Horizon 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form...

python-django-horizon: XSS in client side template

A DOM-based, cross-site scripting vulnerability has been identified in the OpenStack dashboard, where user input was not filtered correctly. An authenticated dashboard user could exploit the flaw by injecting an AngularJS template into a dashboard form for example, using an image's description,...

python-django-horizon: XSS in client side template

A DOM-based, cross-site scripting vulnerability has been identified in the OpenStack dashboard, where user input was not filtered correctly. An authenticated dashboard user could exploit the flaw by injecting an AngularJS template into a dashboard form for example, using an image's description,...

Angular JS template injection vulnerability analysis-vulnerability warning-the black bar safety net

Weekend Mining the vulnerabilities of the process, found an interestingXSS, is to use the Angular JS template to be injected, thereby executing the malicious code, The idea and technology is relatively novel. Angular JS is one of the more popular front end MVC frameworks, many cutting-edge sites...

New Relic: Stored Cross-Site Scripting via Angular Template Injection

It's possible to inject angular expressions into the account settings of a new relic account. This, combined with an angular sandbox escape allows for persistant cross-site scripting which is executed in the browser of any user visiting the affected page. The execution of which could be used to...

Uber: Reflected XSS on developer.uber.com via Angular template injection

developer.uber.com is vulnerable to reflected XSS via Angular template injection. The following url demonstrates the root issue using a trivial payload: https://developer.uber.com/docs/deep-linking?q=wrtz77 If you view the rendered source of the resulting page, you'll find the string 'wrtz49',...

New Relic: Stored XSS through Angular Expression Sandbox Escape

As an Admin of an account, I am able to set the Name of the Account to an Angular expression. This Angular expressions is resolved and executed on the Insights Welcome Page for anyone that is apart of the Account. Due to the ability to invite anyone even current NewRelic users to an Account, it...

Zendesk: Stored XSS via Angular Expression injection on developer.zendesk.com

developer.zendesk.com is vulnerable to stored XSS via Angular template injection. To replicate: Browse to https://developer.zendesk.com Sign up with an arbitrary email address and the following name: "'a'.constructor.prototype.charAt=.join;$eval'x=alert1';" Observe the popup. This is a stored...