Square: CRITICAL Account takeover via AngularJS template injection in connect.squareup.com

Hi! The OAUTH prompt at https://connect.squareup.com/oauth2/authorize?clientid=EXAMPLE prints out the current OAUTH appname without sanitizing it from -style AngularJS templates. This makes it possible for an attacker to add an AngularJS template to his/her appname that calls the $scope.allow...

Arbitrary Code Execution

Overview Affected versions of this package are vulnerable to Arbitrary Code Execution. $parse allowed arbitrary code execution via Angular expressions under some very specific conditions. The only applications affected by these vulnerabilities are those that match all of the following conditions:...

Protection Bypass

Overview Affected versions of this package are vulnerable to Protection Bypass via ng-attr-action and ng-attr-srcdoc allowing binding to Javascript. The fix was to require bindings to formaction to be $sce.RESOURCEURL and bindings to iframesrcdoc to be $sce.HTML Remediation Upgrade angularjs to...

Arbitrary Script Injection

Overview AngularJS.Core is an AngularJS. package for other Angular modules within .NET. Affected versions of this package are vulnerable to Arbitrary Script Injection due to improper sanitization of the $event object passed to the native constructor functions. That isn't protected by the fast pat...

Arbitrary Script Injection

Overview Affected versions of this package are vulnerable to Arbitrary Script Injection due to improper sanitization of the $event object passed to the native constructor functions. That isn't protected by the fast paths in $parse. Remediation Upgrade angularjs to version 1.1.5 or higher...

Cross-site Scripting (XSS)

Overview angularjs is a Affected versions of this package are vulnerable to Cross-site Scripting XSS. Concatenating expressions makes it hard to reason about whether some combination of concatenated values are unsafe to use and could easily lead to XSS. By requiring that a single expression be us...

Cross-site Scripting (XSS)

Overview AngularJS.Core is a AngularJS. package for other Angular modules within .NET. Affected versions of this package are vulnerable to Cross-site Scripting XSS. Concatenating expressions makes it hard to reason about whether some combination of concatenated values are unsafe to use and could...

Cross-site Scripting (XSS)

Overview angularjs is a Affected versions of this package are vulnerable to Cross-site Scripting XSS. DOM event handlers await events to occur e.g. onclick, onkeypress, etc and execute arbitrary Javascript code in accordance to the event. By default, interpolations inside DOM event handlers are...