Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Shopify - HackerOne Reports

View on HackerOne

339

Total Reports

9

Critical

13

High

128

Medium

101

Low

Stored XSS in SVG file as data: url

Reported by: irisrumtub | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $5300.00

Reflective Cross-site Scripting via Newsletter Form

Reported by: dostoevskylabs | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Reflected

Bounty: $2000.00

One Click XSS in [www.shopify.com]

Reported by: comwrg | Disclosed:

Weakness: Cross-site Scripting (XSS) - Generic

Limited Privilege User Can Create Unauthorized Referrals on partners.shopify.com

Reported by: samux | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Blog posts atom feed of a store with password protection can be accessed by anyone

Reported by: xenx | Disclosed:

Medium

Weakness: Information Disclosure

Bounty: $5000.00

Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation

Reported by: ngalog | Disclosed:

Medium

[Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation

Reported by: ngalog | Disclosed:

Critical

Open Redirect in www.shopify.dev Environment

Reported by: beerboy_ankit | Disclosed:

Medium

Weakness: Open Redirect

store internal email disclosed through shopify-data-exporter

Reported by: xenx | Disclosed:

Medium

Weakness: Information Disclosure

Bounty: $500.00

IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop

Reported by: inhibitor181 | Disclosed:

Medium

Weakness: Insecure Direct Object Reference (IDOR)

Bounty: $500.00

Improper Input Validation on https://oberlo-image-proxy.shopifycloud.com/

Reported by: riramar | Disclosed:

Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor

Reported by: zombiehelp54 | Disclosed:

Weakness: Open Redirect

Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly

Reported by: peroni | Disclosed:

Access to Splunk via shard3-db2.ec2.shopify.com endpoint

Reported by: ysx | Disclosed:

Weakness: Improper Authentication - Generic

Shopify Stocky App OAuth Misconfiguration

Reported by: vulnh0lic | Disclosed:

Medium

Weakness: Privilege Escalation

Self-XSS in password reset functionality

Reported by: zeesek | Disclosed:

Low

Weakness: Cross-site Scripting (XSS) - Reflected

Bounty: $500.00

STAFF "No-Permissions" on the Store can retrieve the details Order via exchangeReceiptSend

Reported by: langduvnsec | Disclosed:

Medium

Weakness: Information Disclosure

Bounty: $1000.00

[h1-2102] HTML injection in packing slips can lead to physical theft

Reported by: intidc | Disclosed:

Low

Weakness: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Bounty: $900.00

Insufficient session expiration in the com.shopify.ping android app

Reported by: fr4via | Disclosed:

Low

Weakness: Insufficient Session Expiration

H1514 [*.(my)shopify.com] - Viewing Password Protected Content

Reported by: corb3nik | Disclosed:

Critical

Weakness: Improper Authentication - Generic

Bounty: $3000.00

Page 1 of 17 Next