Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Shopify - HackerOne Reports

View on HackerOne

336

Total Reports

9

Critical

13

High

127

Medium

100

Low

Limited Privilege User Can Create Unauthorized Referrals on partners.shopify.com

Reported by: samux | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Reflective Cross-site Scripting via Newsletter Form

Reported by: dostoevskylabs | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Reflected

Bounty: $2000.00

Blog posts atom feed of a store with password protection can be accessed by anyone

Reported by: xenx | Disclosed:

Medium

Weakness: Information Disclosure

Bounty: $5000.00

Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation

Reported by: ngalog | Disclosed:

Medium

[Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation

Reported by: ngalog | Disclosed:

Critical

Open Redirect in www.shopify.dev Environment

Reported by: beerboy_ankit | Disclosed:

Medium

Weakness: Open Redirect

store internal email disclosed through shopify-data-exporter

Reported by: xenx | Disclosed:

Medium

Weakness: Information Disclosure

Bounty: $500.00

Stored XSS in SVG file as data: url

Reported by: irisrumtub | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $5300.00

IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop

Reported by: inhibitor181 | Disclosed:

Medium

Weakness: Insecure Direct Object Reference (IDOR)

Bounty: $500.00

Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor

Reported by: zombiehelp54 | Disclosed:

Weakness: Open Redirect

Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly

Reported by: peroni | Disclosed:

Improper Input Validation on https://oberlo-image-proxy.shopifycloud.com/

Reported by: riramar | Disclosed:

Access to Splunk via shard3-db2.ec2.shopify.com endpoint

Reported by: ysx | Disclosed:

Weakness: Improper Authentication - Generic

Shopify Stocky App OAuth Misconfiguration

Reported by: vulnh0lic | Disclosed:

Medium

Weakness: Privilege Escalation

[h1-2102] HTML injection in packing slips can lead to physical theft

Reported by: intidc | Disclosed:

Low

Weakness: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Bounty: $900.00

Open Redirect on Login Page of Stocky App

Reported by: luc1d | Disclosed:

Medium

Weakness: Open Redirect

Github access token exposure

Reported by: augustozanellato | Disclosed:

Critical

Bounty: $50000.00

Store Deletion or Sell without authentication

Reported by: fr4via | Disclosed:

Low

Weakness: Improper Authentication - Generic

H1514 Stored XSS in Return Magic App portal content

Reported by: zombiehelp54 | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Stored

H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products

Reported by: fransrosen | Disclosed:

Medium

Weakness: Command Injection - Generic

Page 1 of 17 Next