Shopify: XSS in Admin site in TAX Overrides

ID H1:62427
Type hackerone
Reporter nismo
Modified 2015-06-09T20:55:33


POC: If you create a collection such as "><IMG SRC=x onerror=prompt(7)> and then go to Settings / Taxes and select "Add a tax override" then on the "Add Tax Override for Rest of World" select the previously created collection of "><IMG SRC=x onerror=prompt(7)> you can see it on the screen (addtax.png).

If you press the recycle bin "Delete Entire Override" (delete.png) then XSS is happening (xss.png)