5 matches found
Shopify: Open Redirect on Login Page of Stocky App
Vulnerable app is Stocky, 1. Visit login page of app with vulnerable parameter & malicious website address?returnto=//evil.com like https://stocky.shopifyapps.com/users/login?returnto=//evil.com 2. Then login to account 3. Open Redirect is executed PoC Video: F1172071 Impact Open Redirect...
Shopify: Stocky App Administrator can create a backdoor admin account by using an existing POS User
Details The Stocky App has POS Users that are being created once a POS Staff logs in into the application from the Point Of Sale application on a mobile device. From the users management page located at https://stocky.shopifyapps.com/users there's no visible way to edit those POS users. Although,...
Shopify: Password reset link not expired at Stocky App
You can use password reset link to reset password multiple times. Steps: 1. Go to https://stocky.shopifyapps.com/users/forgottenpassword and Send the password reset link to your email. if this page doesn't appear you should add login details via this https://stocky.shopifyapps.com/preferences/use...
Shopify: user with no draft order permission can still perform action on draft order's in stocky app (idor)
@imranhudaa reported that the Shopify Stocky application was missing a permission check to download purchase orders. We implemented the missing check to resolve the issue. This is a limited disclosure at their request...
Shopify: Disclose Any Store products, Files, Purchase Orders Via Email through Shopify Stocky APP
Hello Shopify Security Team! Bug Summary: This bug leads to disclose any store products, files, purchase orders through shopify stocky app. It is bug in shopify app but it effects stores also. Reproduction steps: Go to apps.shopify.com and install the stocky app. Now you will be redirected to thi...