Shopify: Self XSS

I have found self xss in myshopify.com/admin/apps/import-store/ POC 1 - Go to yourstore.myshopify.com 2 - Go to settings App - Import maybe ask you for your platform select any one 3 - Upload file csv with file name payload xss " Impact XSS Attack...

Shopify: Reflective Cross-site Scripting via Newsletter Form

.myshopify.com is vulnerable to a reflective cross-site scripting attack in the newsletter form. This can be crafted to trigger on a page load without any further user interaction. The following example url shows this vulnerability:...

Shopify: Reflected XSS in <any>.myshopify.com through theme preview

Hi, I have found a reflected cross site scripting vulnerability in .myshopify.com through themehanlde parameter due to not single quotes. Steps to reproduce: 1. Navigate to .myshopify.com 2. view the source of the page and copy the value of Shopify.theme Id. 3. Navigate to...

prompt1.myshopify.com XSS vulnerability

Vulnerable URL: https://prompt1.myshopify.com Details: Description| Value ---|--- Patched:| Yes, at 26.02.2016 Latest check for patch:| 26.02.2016 10:31 GMT Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| Unknown / Not calculated Google Pagerank| 0 VIP website...

Shopify: Bulk Discount App in myshopify.com exposes http://bulkdiscounts.shopifyapps.com vulnerable to XSS

Installing the Bulk Discount App in .myshopify.com which requires a paid basic plan makes the bulkdiscounts.shopifyapps.com vulnerable to XSS due to non sanitized input in products and collections. POC: 1. Enter a product name or a collection such as " and save it. 2. Install the Shopify...

Shopify: Missing spf flags for myshopify.com

Hello guys I just checked for SPF records for the myshopify.com domain, and there are none, effectively allowing for spam to originate from that domain. you can validate by testing yourself here: http://www.kitterman.com/spf/validate.html The SPF records are correctly set for shopify.com so i gue...