Stored XSS in my staff name fired in another your internal panel
High
S
Shopify
Submitted None
Team Summary
Official summary from Shopify
Several years ago, @cyber__sec placed a cross-site scripting payload in the name of a staff member on his test shop. This payload recently executed in our internal administration panel, alerting us to a cross-site scripting bug. Because @cyber__sec's payload triggered the bug, we asked him to submit a report. We awarded the maximum bounty under our Cross-site scripting category because the payload executed in our internal administrator panel, resulting in a high security impact.
Actions:
Reported by
cyber__sec
Vulnerability Details
Technical details and impact analysis
Hi all,
I had lots of tests for bug bounty in my test store "trstore-3.myshopify.com" (created about 4 years ago) and then one of your developers noticed that a stored cross-site scripting payload in my staff name fired in another your internal panel.
I have attached the email sent to me by your collegue and I'd like to get a award and I am very happy.
Thanks alot.
## Impact
Stored XSS
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Cross-site Scripting (XSS) - Stored