' add a transfer with that product now go back to the...">Shopify: XSS on product comments in transfers - vulnerability database | Vulners.com' add a transfer with that product now go back to the...">' add a transfer with that product now go back to the...">' add a transfer with that product now go back to the...">
Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneChj2934H1:738072
HistoryNov 15, 2019 - 6:24 a.m.

Shopify: XSS on product comments in transfers

2019-11-1506:24:31
chj2934
hackerone.com
$500
58
JSON

summery:

You are able to copy and paste stored XSS code into the comment section of a product in the transfers tab and receive the error.

Reproduce:

  1. Create a product with the name ‘"’><img src>’
  2. add a transfer with that product
  3. now go back to the product use the code button and type the same code for the title . ‘"’><img src>’
  4. you will get a XSS pop-up however ignore it. as soon as you get here you need to get out of the code setting and into the normal text and copy the the little piece of code with the image.
  5. delete the code that we put in the html for the XSS.
  6. go back to transfers and paste the code that we copied there
  7. error

Impact

steal cookie

JSON