Shopify: Stored passive XSS at scheduled posts (kitcrm.com)

Hello! There is improper filtration of the website link field of scheduled post. Attacker can intercept the scheduled post creation/modifying request and change it content the following way: http POST /pages/175422/manualposts/31163 HTTP/1.1 Host: kitcrm.com...

Shopify: Setting Arbitrary Cookie at kitcrm.com

Hey The src parameter of Image is not being sanitized which allows me to set cookies at kitcrm.com Proof of Concept 1. Create a post at https://kitcrm.com/pages/ID/manualposts/new 2. Select Schedule for Later 3. Go to Scheduled Posts https://kitcrm.com/pages/ID/manualposts 4. Click Edit on your...