Shopify: XSS at Bulk editing products

2015-06-10T08:15:22
ID H1:67132
Type hackerone
Reporter mafia
Modified 2015-06-17T15:04:22

Description

after following above the steps in #67125 goto Bulk editing products:

for me the url was: https://img-src-x-onerror-prompt1-24.myshopify.com/admin/bulk?resource_name=Product&edit=variants.sku%2Cvariants.price%2Cvariants.compare_at_price&message=&return_to=%2Fadmin%2Fproducts&ids=1151578433

it is also vulnerable to xss (Change the requierd fields in above url according to your shop)