EXNESS: Double forward slash breaks server-side restrictions & allows access to prohibited services from a partner account

A vulnerability was discovered where making an API call with double/multiple forward slashes broke server-side restrictions imposed upon a partner account, allowing unrestricted access to the autorebates facility, which was otherwise unavailable to the partner account...

Shopify: access permission is not revoked even if the email has been deleted or changed on the partner account -partners.shopify-

I can get increased privileges from accounts that have been deleted from shopify partners. a partner uses another business email account and when the business email has been replaced or deleted from a partner, it turns out that the account still has full access as a collaborator account or still...

Shopify: Add store to new partner account without confirming email address.

Details When a someone signs up for a new account on partners.shopify.com they are asked to confirm their email address before they can do anything and by anything I mean add stores, invite members, use affiliate tools and so on. Apparently they can leverage an issue on partners.shopify.com to...

Shopify: Stored XSS on demo app link

Hi, I found stored XSS in apps.shopify.com in the DEMO URL of the apps you create. POC 1. go to your partner account and create a new app 2. go to DEMO link in https://apps.shopify.com/services/appsubmissions/edit of your app put the payload you see below: F374863 and when pressing on preview...

Mail.ru: Partner Account Takeover on https://www.delivery-club.ru через пользовательский аккаунт.

Improper access control allowed user account to perform privileged actions for partner's account with same ID. Ситуация аналогичная с 324230, но в другую сторону. Можно захватывать партнерские аккаунты посредством сессии с основного сайта...

Mail.ru: Account Takeover on https://www.delivery-club.ru через партнерский аккаунт.

Improper access control allowed partner account to perform privileged actions for user's account with same ID. Некорректная проверки сессии...

Shopify: Ability to bypass partner email confirmation to take over any store given an employee email

I told Pete I would take a look at Spotify, hi Pete. Summary It's possible to take over any store account through partners given an employee email address. This is possible because I found a way to confirm arbitrary emails. I don't know the Shopify ecosystem well enough to know the other...

Shopify: CSV Excel Macro Injection Vulnerability in export list of current users - app.shopify.com

Hi , I have found that when a user tries to Export list of current users who installed his apps through: https://app.shopify.com/services/partners/apiclients//exportinstalledusers the fields of the CSV file are not properly escaped. which makes them vulnerable to CSV Excel Macro Injection...