Shopify: Cross Site Scripting at https://app.oberlo.com/

2019-04-18T21:25:51
ID H1:542258
Type hackerone
Reporter masterhackor
Modified 2019-05-26T22:25:25

Description

1- create an account from https://app.oberlo.com/

2- path to https://app.oberlo.com/settings/account/profile

3- inject javascript code or xss payload at Name form

4- it will be printed at page and executed

payload that i used it "><img src=x onerror=alert(document.domain)>

Impact

This vulnerability can be used by attacker to serve malicious JavaScript against any user.