Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

Shopify - HackerOne Reports

View on HackerOne

336

Total Reports

9

Critical

13

High

127

Medium

100

Low

Xss At Shopify Email App

Reported by: shaktiranjan867 | Disclosed:

Low

Weakness: Cross-site Scripting (XSS) - Generic

Screenshot Service leaks X-ABS-App-Token

Reported by: corraldev | Disclosed:

Weakness: Server-Side Request Forgery (SSRF)

Disconnecting an external login provider does not revoke session

Reported by: itsmeattacker | Disclosed:

Medium

Weakness: Insufficient Session Expiration

Stored XSS in my staff name fired in another your internal panel

Reported by: cyber__sec | Disclosed:

High

Weakness: Cross-site Scripting (XSS) - Stored

Domain Takeover at 3hopify.media

Reported by: m7mdharoun | Disclosed:

Weakness: Privilege Escalation

[h1-2102] Partner's team member with no permission can retrieve services financial data

Reported by: imgnotfound | Disclosed:

Medium

Weakness: Improper Authorization

[h1-2102] Wholesale - CSRF to Generate Invitation Token for a Customer and Move Customer to Invited Status

Reported by: rhynorater | Disclosed:

Low

Weakness: Cross-Site Request Forgery (CSRF)

[h1-2102] [Yaworski's Broskis] Low privilege user can read POS PINs via graphql and elevate his privilege

Reported by: ramsexy | Disclosed:

Medium

Weakness: Information Disclosure

Stocky App Administrator can create a backdoor admin account by using an existing POS User

Reported by: imgnotfound | Disclosed:

H1514 Ability to MiTM Shopify PoS Session to Takeover Communications

Reported by: teknogeek | Disclosed:

Medium

Weakness: Business Logic Errors

ShopifyAPI is vulnerable to timing attacks.

Reported by: edoverflow | Disclosed:

Low

Weakness: Cryptographic Issues - Generic

staff can able to extend shopify trial period without admin permission

Reported by: risinghunter | Disclosed:

Low

Weakness: Improper Access Control - Generic

Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation

Reported by: tolo7010 | Disclosed:

Weakness: Information Disclosure

XSS on postal codes

Reported by: pappan | Disclosed:

Medium

Weakness: Cross-site Scripting (XSS) - Generic

[h1-2102] Break permissions waterfall

Reported by: hogarth45 | Disclosed:

Low

Bounty: $500.00

From full-access account to Account Owner

Reported by: rms | Disclosed:

Weakness: Privilege Escalation

Bounty: $500.00

Account takeover intercepting magic link for Arrive app

Reported by: nsl182 | Disclosed:

Low

Weakness: Insufficiently Protected Credentials

[h1-2102] [Plus] User with Store Management Permission can Make convertUsersFromSaml/convertUsersToSaml - that should be limited to User Management

Reported by: ngalog | Disclosed:

Medium

Weakness: Privilege Escalation

[h1-2102] [PLUS] User with Store Management Permission can Make enforceSamlOrganizationDomains call - that should be limited to User Management Only

Reported by: ngalog | Disclosed:

Medium

Weakness: Improper Authorization

Limited Privilege User Can Create Unauthorized Referrals on partners.shopify.com

Reported by: samux | Disclosed:

Medium

Weakness: Improper Access Control - Generic

Previous Page 2 of 17 Next