Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Shopify - HackerOne Reports

View on HackerOne

339

Total Reports

9

Critical

13

High

128

Medium

101

Low

(BYPASS) Open Redirect after login at http://ecommerce.shopify.com

Reported by: jamesclyde | Disclosed:

Weakness: Open Redirect

xss on polaris.shopify.com/demo using postMessage

Reported by: coldd | Disclosed:

Low

Weakness: Cross-site Scripting (XSS) - DOM

Ability to verify any email address you don't own - accounts.shopify.com

Reported by: zombiehelp54 | Disclosed:

Weakness: Violation of Secure Design Principles

Inject page in admin panel via Shopify.API.pushState [New Payload]

Reported by: tiago-danin | Disclosed:

Low

Weakness: Cross-site Scripting (XSS) - DOM

Bounty: $500.00

H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing

Reported by: filedescriptor | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - DOM

Reflected XSS on $Any$.myshopify.com/admin

Reported by: dr_dragon | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Reflected

Bounty: $1500.00

H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products

Reported by: fransrosen | Disclosed:

Medium

Weakness: Command Injection - Generic

Subdomain Takeover - https://competition.shopify.com/

Reported by: llt4l | Disclosed:

Medium

Weakness: Privilege Escalation

A staff member with no permissions can edit Store Customer Email

Reported by: ash_nz | Disclosed:

Medium

Weakness: Insecure Direct Object Reference (IDOR)

Bounty: $1500.00

apps.shopify.com - CSRF token leakage through Google Analytics

Reported by: zombiehelp54 | Disclosed:

Weakness: Cross-Site Request Forgery (CSRF)

Xss At Shopify Email App

Reported by: shaktiranjan867 | Disclosed:

Low

Weakness: Cross-site Scripting (XSS) - Generic

A non-privileged user may create an admin account in Stocky

Reported by: stapia | Disclosed:

Medium

Weakness: Privilege Escalation

Bounty: $1600.00

XSS Stored via Upload avatar PNG [HTML] File in accounts.shopify.com

Reported by: zerox4 | Disclosed:

Low

Weakness: Violation of Secure Design Principles

Ability to publish a paid theme without purchasing it.

Reported by: saltymermaid | Disclosed:

Low

Weakness: Improper Access Control - Generic

Bounty: $2000.00

URL Path Manipulation Enables Cache Poisoning of Amazon Affiliate Products in Shopify Linkpop

Reported by: saltymermaid | Disclosed:

Low

Weakness: Cache Poisoning

Bounty: $500.00

ability to install paid themes for free

Reported by: flashdisk | Disclosed:

Medium

Weakness: Improper Access Control - Generic

User with removed manage shops permissions is still able to make changes to a shop

Reported by: flashdisk | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Order Creation Webhooks can be edited/deleted by STAFF with `Settings` only permission

Reported by: h13- | Disclosed:

Low

Weakness: Improper Access Control - Generic

Bounty: $500.00

Stealing users' facebook access tokens - kitcrm.com

Reported by: zombiehelp54 | Disclosed:

Weakness: Information Disclosure

Stored XSS in SVG file as data: url

Reported by: irisrumtub | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Stored

Bounty: $5300.00

Previous Page 2 of 17 Next