Shopify: Bypassing HTML filter in "Packing Slip Template" Lead to SSRF to Internal Kubernetes Endpoints

Summary Shopify has a feature called Print Packing Slip, with this tool, users can easily print a packing slip after customers make an order. The generated packing slip can be downloaded as a PDF file. Users can edit an Edit packing slip template to adjust with a shop design. However, there's hav...

Shopify: [h1-2102] HTML injection in packing slips can lead to physical theft

Summary: A HTML injection vulnerability exists in the packing slip generator, allowing customers to alter the logistical process of their and other's orders for shops that choose to display the user's e-mail address on the packing slip. The success rate depends on the shops setup and can result i...

Shopify: H1514 Lack of access control on edit packing slip template

Summary: An admin is able to edit the Edit packing slip template at /admin/settings/packingsliptemplate. However, a staff user with only "Home" permission and none other can view and also make edits to this template. Description: The Edit packing slip feature exists so an admin user can customize...