Shopify: Reflected XSS on $Any$.myshopify.com/admin

Description : Hi, I have found a reflected cross site scripting vulnerability in .myshopify.com/admin through returnurl parameter . Step to reproduce : 1-Go to https://.myshopify.com/admin/authenticate?returnurl=javascript:alert100// 2-Click on reload this page 3-Xss alert message Impact Xss atta...

Shopify: XSS in Myshopify Admin Site in DISCOUNTS

POC 1. Go to Customers and add a new search group named "img src=x onerror=prompt7 See creategroup.png 2. Go to Discounts and add a Discount Code based on Customer group and choose the one created above 3. Click Save XSS in discounts occur discountxss.png...