Shopify: Reflected XSS in chat.

ID H1:81757
Type hackerone
Reporter dz_samir
Modified 2015-09-02T16:43:15


hello login in the chat and upload file with Payload name (code injection) like <img src="c" onerror=alert(1)> the code html will execute

<span>You are not allowed to upload '<img src="c" onload="alert(1)">' files, allowed types: jpg, jpeg, gif, png</span>

Hadji Samir