Shopify: shopifyapps.com XSS on sales channels via currency formatting

2015-12-09T14:29:32
ID H1:104359
Type hackerone
Reporter reactors08
Modified 2015-12-14T19:10:36

Description

pinterest, twitter, buy button and facebook sales channels vulnerable to xss via currency formatting.

steps to reproduce: - remove pinterest, twitter, buy button and facebook sales channels at .myshopify.com/admin/channels - go to .myshopify.com/admin/settings/general - change currency formating as shown at the currency_formatting.jpg(check attachment) - add pinterest, twitter, buy button and facebook sales channels at *.myshopify.com/admin/channels - check pinterest, twitter and buy button tabs - create collection and add a product to it (skip this step if you already have collection with product) - go to facebook tab --> shop ( *.myshopify.com/admin/apps/shopify-facebook/collections )