Shopify: Subdomain Takeover at course.oberlo.com

Hi, I was able to takeover your subdomain course.oberlo.com via using kajabi services. Poc : visit https://course.oberlo.com/ you will see my poc https://web.archive.org/web/20220904143512/https://course.oberlo.com/ Suggested Fix : Clear your subdomain DNS. Impact Subdomains Takeovers can be use ...

Shopify: [h1-2102] [Oberlo] Least privileged user can cancel account owner's subscription via POST on /payments/subscribe

Vulnerability description not provided...

Shopify: Reflected XSS

Hi team , I found a reflected xss on https://app.oberlo.com domain . Reproduce : Visit https://app.oberlo.com/auth?shop=%3C/noscript%3E%3Cimg%20src=x%20onerror=promptdocument.domain%3E in latest version of firefox browser . You will see popup like attacked screenshot : F485407 Tested in Latest...

Shopify: Cross Site Scripting at https://app.oberlo.com/

1- create an account from https://app.oberlo.com/ 2- path to https://app.oberlo.com/settings/account/profile 3- inject javascript code or xss payload at Name form 4- it will be printed at page and executed payload that i used it " Impact This vulnerability can be used by attacker to serve malicio...

Shopify: Stored - XSS

Hello Security Team, I have Found Stored XSS Vulnerability POC : Step1: Go to https://app.oberlo.com/suppliers Step2: Click on any product you will be redirected to URL as i have given for example...