CVE-2023-37238

Vulnerability of apps' permission to access a certain API being incompletely verified in the wireless projection module. Successful exploitation of this vulnerability may affect some wireless projection features...

Shopify: Get analytics token using only apps permission

It seems apps that can read "analytics" have embedded analytic token. In order to access the /admin/reportify/token.json endpoint explicit dashboard or reports permission is required. A staff member with just "apps" permission can leverage the permissions of apps that can read reports to extract...

Shopify: Bypass report #416983 - Removed Staff members who had "Apps" permission can still modify flow app connections

The following report intends to disclose a bypass for 416983. It's been found that removed staff members who had "Apps" permission can still modify flow app connection settings due to improper authorization. Description Signed URLs generated by Shopify Flow https://apps.shopify.com/flow use a...

Shopify: IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop

SUMMARY ---------- Hello, I have found a permission problem in https://partners.shopify.com that allows a member with only "Manage apps" permission to get various show information and also list the staff account from inside that shop without having access the shop's admin area REPLICATION STEPS...