I offers security consulting services within the space of Penetration Testing , Ethical Hacking , Vulnerability Assessments and Security Code and Configuration Reviews ~

SquareUp Open Redirection

During Password resetting, I observe something, that Password token link is redirected first through subscriptions link. where 'r' is the parameter and value can be any website.
Steps To Reproduce:
1- After Password Reset email, Copy Link Address.


2- Address URI look like this: 
https://squareup.com/subscriptions/r?d=VHZ0CwTM5CMAwfX4&e=/html/body/table/tr/td/table[1]/tr[2]/td/table/tr[2]/td/table/tr[2]/td[2]/table/tr[5]/td/div/a&n=emailClick&r=https://squareup.com/password/reset/Token

Video PoC: