Shopify - HackerOne Reports
View on HackerOne339
Total Reports
9
Critical
13
High
128
Medium
101
Low
xss is triggered on your web
Reported by:
jaka-tingkir
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - DOM
Admin panel Exposure without credential at https://plus-website.shopifycloud.com/admin.php
Reported by:
c1ph3r1st
|
Disclosed:
Medium
Weakness: Improper Access Control - Generic
Bounty: $2900.00
[h1-2102] [Yaworski's Broskis] Suspected overcharge and chargebacks in PoS
Reported by:
xiridium
|
Disclosed:
Low
Weakness: Business Logic Errors
POST-based XSS on apps.shopify.com
Reported by:
chaosbolt
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Generic
Bounty: $500.00
Disconnecting an external login provider does not revoke session
Reported by:
itsmeattacker
|
Disclosed:
Medium
Weakness: Insufficient Session Expiration
Reflected XSS online-store-git.shopifycloud.com
Reported by:
0xbepresent
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Reflected
Bounty: $3500.00
Delete/modify your own comment after limited access(IDOR)
Reported by:
indoappsec
|
Disclosed:
Weakness: Privilege Escalation
Read access to hidden orders,products,customers etc. by limited access Staff member through reference page in Comments (Information disclosure )
Reported by:
indoappsec
|
Disclosed:
Weakness: Improper Authentication - Generic
PII disclosure -- Past team members & their email ID(personal email) can be viewed by Staff member with no permissions on Partner Dashboard
Reported by:
h13-
|
Disclosed:
Low
Weakness: Information Disclosure
Bounty: $500.00
XSS on product comments in transfers
Reported by:
chj2934
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Stored
Bounty: $500.00
XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications
Reported by:
bored-engineer
|
Disclosed:
High
Weakness: Cross-site Scripting (XSS) - Stored
Bounty: $5000.00
Session works after logout from Shopify account
Reported by:
cryptographer
|
Disclosed:
Low
Weakness: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The authentication code when activating 2FA can be used again to log in
Reported by:
shadow-m
|
Disclosed:
Low
Weakness: Improper Access Control - Generic
Stored XSS in my staff name fired in another your internal panel
Reported by:
cyber__sec
|
Disclosed:
High
Weakness: Cross-site Scripting (XSS) - Stored
stored xss in invited team member via email parameter
Reported by:
coldd
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Stored
Bounty: $500.00
Stored XSS through Facebook Page Connection
Reported by:
boredengineer21
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Stored
Stored XSS in Shopify Chat
Reported by:
mosuan
|
Disclosed:
Low
Weakness: Cross-site Scripting (XSS) - Stored
Bounty: $500.00
Domain Takeover at 3hopify.media
Reported by:
m7mdharoun
|
Disclosed:
Weakness: Privilege Escalation
Removing parts of URL from jQuery request exposes links for download of Paid Digital Assets of the most recent Order placed by anyone on the store!
Reported by:
adarshxs
|
Disclosed:
Medium
Bounty: $2900.00
Stored XSS in SVG file as data: url
Reported by:
irisrumtub
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Stored
Bounty: $5300.00