Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Shopify - HackerOne Reports

View on HackerOne

330

Total Reports

9

Critical

13

High

123

Medium

98

Low

Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation

Reported by: ngalog | Disclosed:

Medium

XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline

Reported by: nismo | Disclosed:

Weakness: Cross-site Scripting (XSS) - Generic

Stored XSS in SVG file as data: url

Reported by: irisrumtub | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $5300.00

Using GraphQL, STAFF with NO explicit permissions on Store can retrieve Shopify Payments Balance.

Reported by: h13- | Disclosed:

Low

Weakness: Information Disclosure

Bounty: $500.00

Reflective Cross-site Scripting via Newsletter Form

Reported by: dostoevskylabs | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Reflected

Bounty: $2000.00

Senseitive data Related to Shopify Host -> https://shopify.zendesk.com/

Reported by: sam_exploit | Disclosed:

Weakness: Cleartext Storage of Sensitive Information

Bounty: $500.00

Blog posts atom feed of a store with password protection can be accessed by anyone

Reported by: xenx | Disclosed:

Medium

Weakness: Information Disclosure

Bounty: $5000.00

[Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation

Reported by: ngalog | Disclosed:

Critical

Open Redirect in www.shopify.dev Environment

Reported by: beerboy_ankit | Disclosed:

Medium

Weakness: Open Redirect

store internal email disclosed through shopify-data-exporter

Reported by: xenx | Disclosed:

Medium

Weakness: Information Disclosure

Bounty: $500.00

Improper Input Validation on https://oberlo-image-proxy.shopifycloud.com/

Reported by: riramar | Disclosed:

IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop

Reported by: inhibitor181 | Disclosed:

Medium

Weakness: Insecure Direct Object Reference (IDOR)

Bounty: $500.00

Access to Splunk via shard3-db2.ec2.shopify.com endpoint

Reported by: ysx | Disclosed:

Weakness: Improper Authentication - Generic

Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor

Reported by: zombiehelp54 | Disclosed:

Weakness: Open Redirect

Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly

Reported by: peroni | Disclosed:

Shopify Stocky App OAuth Misconfiguration

Reported by: vulnh0lic | Disclosed:

Medium

Weakness: Privilege Escalation

Access to Private Photos of Apps in App section(IDOR)

Reported by: indoappsec | Disclosed:

Medium

Weakness: Insecure Direct Object Reference (IDOR)

CSRF on connecting Paypal as Payment Provider

Reported by: ngalog | Disclosed:

Medium

Weakness: Cross-Site Request Forgery (CSRF)

[h1-2102] HTML injection in packing slips can lead to physical theft

Reported by: intidc | Disclosed:

Low

Weakness: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Bounty: $900.00

Open Redirect on Login Page of Stocky App

Reported by: luc1d | Disclosed:

Medium

Weakness: Open Redirect

Page 1 of 17 Next