| 1 |
Github access token exposure |
$50000.0 |
| 2 |
Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO |
$16000.0 |
| 3 |
Ability to bypass partner email confirmation to take over any store given an employee email |
$15250.0 |
| 4 |
[Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation |
$15000.0 |
| 5 |
XSS at jamfpro.shopifycloud.com |
$9400.0 |
| 6 |
Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation |
$7500.0 |
| 7 |
Exposed Cortex API at https://cortex-ingest.shopifycloud.com/ |
$6300.0 |
| 8 |
Stored XSS in /admin/product and /admin/collections |
$5300.0 |
| 9 |
Stored XSS in SVG file as data: url |
$5300.0 |
| 10 |
XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications |
$5000.0 |
| 11 |
IDOR on GraphQL queries BillingDocumentDownload and BillDetails |
$5000.0 |
| 12 |
Bypass a fix for report #708013 |
$3500.0 |
| 13 |
Reflected XSS online-store-git.shopifycloud.com |
$3500.0 |
| 14 |
[h1-2102] FQDN takeover on all Shopify wholesale customer domains by trailing dot (RFC 1034) |
$3100.0 |
| 15 |
XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog" |
$3000.0 |
| 16 |
Bypass Filter and get Stored Xss |
$3000.0 |
| 17 |
H1514 [*.(my)shopify.com] - Viewing Password Protected Content |
$3000.0 |
| 18 |
Blind Stored XSS Via Staff Name |
$3000.0 |
| 19 |
[Information Disclosure] Amazon S3 Bucket of Shopify Ping (iOS) have public access of other users image |
$2900.0 |
| 20 |
https://themes.shopify.com::: Host header web cache poisoning lead to DoS |
$2900.0 |
| 21 |
Removing parts of URL from jQuery request exposes links for download of Paid Digital Assets of the most recent Order placed by anyone on the store! |
$2900.0 |
| 22 |
Create free Shopify application credits. |
$2900.0 |
| 23 |
Xss triggered in Your-store.myshopify.com/admin/apps/shopify-email/editor/**** |
$2900.0 |
| 24 |
Admin panel Exposure without credential at https://plus-website.shopifycloud.com/admin.php |
$2900.0 |
| 25 |
Disclose customer orders details by shopify chat application. |
$2500.0 |
| 26 |
Tinymce 2.4.0 |
$2000.0 |
| 27 |
Stored XSS on activity |
$2000.0 |
| 28 |
Reflective Cross-site Scripting via Newsletter Form |
$2000.0 |
| 29 |
Ability to publish a paid theme without purchasing it. |
$2000.0 |
| 30 |
Ability to publish a paid theme without purchasing it. |
$2000.0 |
| 31 |
Undocumented fileCopy GraphQL API |
$2000.0 |
| 32 |
authenticity token not verfied leads to change business name |
$1900.0 |
| 33 |
Low Privileged Staff Member Can Export Billing Charges |
$1900.0 |
| 34 |
Add new development stores without permission |
$1900.0 |
| 35 |
Add new managed stores without permission |
$1900.0 |
| 36 |
[h1-2102] [PLUS] User with Store Management Permission can Make enforceSamlOrganizationDomains call - that should be limited to User Management Only |
$1900.0 |
| 37 |
[h1-2102] [Plus] User with Store Management Permission can Make convertUsersFromSaml/convertUsersToSaml - that should be limited to User Management |
$1900.0 |
| 38 |
[h1-2102] [Plus] User with Store Management Permission can Make changeDomainEnforcementState - that should be limited to User Management Only |
$1900.0 |
| 39 |
Collaborators and Staff members without all necessary permissions are able to create, edit and install custom apps |
$1900.0 |
| 40 |
[h1-2102] shopApps query from the graphql at /users/api returns all existing created apps, including private ones |
$1900.0 |
| 41 |
XSS while logging using Google |
$1750.0 |
| 42 |
Staff who only have apps and channels permission can do a takeover account at the wholesale store (Bypass get invitation link) |
$1600.0 |
| 43 |
A non-privileged user may create an admin account in Stocky |
$1600.0 |
| 44 |
Ability to connect an external login service for unverified emails/accounts at accounts.shopify.com |
$1600.0 |
| 45 |
[h1-2102] Stored XSS in product description via productUpdate GraphQL query leads to XSS at handshake-web-internal.shopifycloud.com/products/[ID] |
$1600.0 |
| 46 |
Cross-site scripting on api.collabs.shopify.com |
$1600.0 |
| 47 |
Staff can create workflows in Shopify Admin without apps permission |
$1600.0 |
| 48 |
Stored XSS in Dovetale by application of creator |
$1600.0 |
| 49 |
Read/Write arbitrary (non-HttpOnly) cookies on checkout pages via GoogleAnalyticsAdditionalScripts postMessage handler |
$1600.0 |
| 50 |
Disconnecting an external login provider does not revoke session |
$1600.0 |
| 51 |
Misconfiguration in Two Factor Authorisation |
$1500.0 |
| 52 |
Shopify GitHub Login and Password exposed all private source code might be available. |
$1500.0 |
| 53 |
Reflected XSS on $Any$.myshopify.com/admin |
$1500.0 |
| 54 |
Reflected XSS in *.myshopify.com/account/register |
$1500.0 |
| 55 |
H1514 Get access to non public information by pivoting with graphql queries |
$1500.0 |
| 56 |
OrderListInitial leaks order details |
$1500.0 |
| 57 |
Ability to see password protected content by bypassing the password page of shopify preview URL for new development stores (as of August 17, 2020) |
$1500.0 |
| 58 |
A staff member with no permissions can edit Store Customer Email |
$1500.0 |
| 59 |
Staff Member can Get POS Access Without User Interaction |
$1100.0 |
| 60 |
XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app |
$1000.0 |
| 61 |
XSS on "widgets.shopifyapps.com" via "stripping" attribute and "shop" parameter |
$1000.0 |
| 62 |
Stored xss |
$1000.0 |
| 63 |
Access to Employee calendar disclosing internal presentation and meetings |
$1000.0 |
| 64 |
Reverse Proxy misroute leading to steal X-Shopify-Access-Token header |
$1000.0 |
| 65 |
Stored XSS in Discounts section |
$1000.0 |
| 66 |
Stored XSS in private message |
$1000.0 |
| 67 |
H1514 Deanonymizing Exchange Marketplace private listings |
$1000.0 |
| 68 |
Get analytics token using only apps permission |
$1000.0 |
| 69 |
xss stored in https://your store.myshopify.com/admin/ |
$1000.0 |
| 70 |
STAFF "No-Permissions" on the Store can retrieve the details Order via exchangeReceiptSend |
$1000.0 |
| 71 |
Cache poisoning via X-Forwarded-Host in www.shopify.com/partners/blog |
$1000.0 |
| 72 |
User sensitive information disclosure |
$1000.0 |
| 73 |
staffOrderNotificationSubscriptionCreate Is Not Blocked Entirely From Staff Member With Settings Permission |
$900.0 |
| 74 |
Ability to Disable the Login Attempt of any Shopify Owner for 24 hrs (Zero_Click) |
$900.0 |
| 75 |
Bypass of fix #1370749 |
$900.0 |
| 76 |
[h1-2102] HTML injection in packing slips can lead to physical theft |
$900.0 |
| 77 |
Shop App - Attacker is able to intercept authorization code during authentication (OAuth) and is able to get access to Microsoft Outlook email account |
$900.0 |
| 78 |
Attacker is able to query Github repositories of arbitrary Shopify Hydrogen Users |
$900.0 |
| 79 |
H1514 [beerify.shopifycloud.com] GraphQL discloses internal beer consumption |
$802.2 |
| 80 |
XSS in $shop$.myshopify.com/admin/ via "Button Objects" in malicious app |
$800.0 |
| 81 |
Shopify.com Web Cache Deception vulnerability leads to personal information and CSRF tokens leakage |
$800.0 |
| 82 |
Orders full read for a staff with only Customers permissions. |
$800.0 |
| 83 |
IDOR on stocky application-Low Stock-Varient-Settings-Columns |
$750.0 |
| 84 |
XSS in www.shopify.com/markets?utm_source= |
$700.0 |
| 85 |
Staff with no permissions could possibly list and accept billing promotions |
$600.0 |
| 86 |
Access to Splunk at https://apt.ec2.shopify.com:8089 |
$500.0 |
| 87 |
[apps.shopify.com] Open Redirect |
$500.0 |
| 88 |
Add signature to transactions without any permission |
$500.0 |
| 89 |
password less login token expiration issue |
$500.0 |
| 90 |
Stored XSS at 'Buy Button' page |
$500.0 |
| 91 |
XSS on manually entering Postal codes |
$500.0 |
| 92 |
Subdomain takeover on s3.shopify.com |
$500.0 |
| 93 |
IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop |
$500.0 |
| 94 |
XSS in my.shopify.com in widget |
$500.0 |
| 95 |
SVG Server Side Request Forgery (SSRF) |
$500.0 |
| 96 |
stored xss in invited team member via email parameter |
$500.0 |
| 97 |
Self-XSS in password reset functionality |
$500.0 |
| 98 |
Order notifications being sent for a deactivated staff account |
$500.0 |
| 99 |
Improper access check by Kit leads to controlling attributes of store & getting analytics by deleted Store member via dual messenger A/C |
$500.0 |
| 100 |
From full-access account to Account Owner |
$500.0 |
| 101 |
Stored XSS on buy button |
$500.0 |
| 102 |
Race condition at create new Location |
$500.0 |
| 103 |
PII disclosure -- Past team members & their email ID(personal email) can be viewed by Staff member with no permissions on Partner Dashboard |
$500.0 |
| 104 |
POST-based XSS on apps.shopify.com |
$500.0 |
| 105 |
Using GraphQL, STAFF with NO explicit permissions on Store can retrieve Shopify Payments Balance. |
$500.0 |
| 106 |
SSRF in hatchful.shopify.com |
$500.0 |
| 107 |
H1514 Ability to Edit Packaging Slip Templates and View Product & Shipping Information by a low privileged staff in a Sandbox Store |
$500.0 |
| 108 |
H1514 Lack of access control on edit packing slip template |
$500.0 |
| 109 |
Order Creation Webhooks can be edited/deleted by STAFF with Settings only permission |
$500.0 |
| 110 |
Unpublished Product Images can be disclosed |
$500.0 |
| 111 |
XSS on services.shopify.com |
$500.0 |
| 112 |
STAFF member with NO Explicit permissions can view ActivityFeed via GraphQL |
$500.0 |
| 113 |
DOM XSS via Shopify.API.Modal.initialize |
$500.0 |
| 114 |
[Privilege Escalation] Shopify Admin -- Permission from Settings to Customer |
$500.0 |
| 115 |
Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile) |
$500.0 |
| 116 |
Inject page in admin panel via Shopify.API.pushState |
$500.0 |
| 117 |
H1514 DOM XSS on checkout.shopify.com via postMessage handler on /:id/sandbox/google_maps |
$500.0 |
| 118 |
Shopify's SF and LA offices Dashboard Information disclosed via Public Gist |
$500.0 |
| 119 |
XSS on product comments in transfers |
$500.0 |
| 120 |
Stored XSS in Shopify Chat |
$500.0 |
| 121 |
Timeline Editor Self-XSS (Previous Fix #738072 Incomplete) |
$500.0 |
| 122 |
CSRF on connecting Paypal as Payment Provider |
$500.0 |
| 123 |
None permission staff member can identify installed application and products attached to it |
$500.0 |
| 124 |
user with no draft order permission can still perform action on draft order's in stocky app (idor) |
$500.0 |
| 125 |
Path Traversal in App Proxy |
$500.0 |
| 126 |
Staff member with no permission can delete POS staff from account settings |
$500.0 |
| 127 |
Self XSS |
$500.0 |
| 128 |
Inject page in admin panel via Shopify.API.pushState with protocol invalid |
$500.0 |
| 129 |
Inject page in admin panel via Shopify.API.pushState [New Payload] |
$500.0 |
| 130 |
Subdomain Takeover Via unclaimed Heroku Instance tim-exclusive.shopify.com |
$500.0 |
| 131 |
Stored XSS on apps.shopify.com |
$500.0 |
| 132 |
your-store.myshopify.com preview link is leak on third party website lead to preview all action from store owner Without store Password. |
$500.0 |
| 133 |
Senseitive data Related to Shopify Host -> https://shopify.zendesk.com/ |
$500.0 |
| 134 |
Ability to add address without being an admin or staff in the store via wholesale store |
$500.0 |
| 135 |
staffOrderNotificationSubscriptionDelete Could Be Used By Staff Member With Settings Permission |
$500.0 |
| 136 |
Is the Google Bucket Meant To Be Publicly Listable? https://cdn.shopify.com/shop-assets/ |
$500.0 |
| 137 |
Bypass For #997350 your-store.myshopify.com preview link is leak on third party website Via Online Store |
$500.0 |
| 138 |
[h1-2102] Break permissions waterfall |
$500.0 |
| 139 |
Same the Url |
$500.0 |
| 140 |
Disclose STUFF member name and make actions. |
$500.0 |
| 141 |
Theme editor oseid parameter is leaked to third-party services through the Referer header which leads to somekind of storefront password bypass. |
$500.0 |
| 142 |
Information disclosure ( Google Sales Channel ) |
$500.0 |
| 143 |
Reflected XSS on help.shopify.com |
$500.0 |
| 144 |
No Session Expiry after log-out, attacker can reuse the old cookies |
$500.0 |
| 145 |
View all deleted comments and rating of any app . |
$0.0 |
| 146 |
Open Redirect possible in https://www.shopify.com/admin/ |
$0.0 |
| 147 |
(FULL PATH DISCLOSURE) Unknown MySQL server host 'shardm-reader.chi2.shopify.io' |
$0.0 |
| 148 |
(BYPASS) Open Redirect after login at http://ecommerce.shopify.com |
$0.0 |
| 149 |
Open CouchDB on experiments.ec2.shopify.com:5984 |
$0.0 |
| 150 |
Open redirect using checkout_url |
$0.0 |
| 151 |
Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly |
$0.0 |
| 152 |
Access to Splunk via shard3-db2.ec2.shopify.com endpoint |
$0.0 |
| 153 |
Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline |
$0.0 |
| 154 |
XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline |
$0.0 |
| 155 |
Open redirect allows changing iframe content in *.myshopify.com/admin/themes//editor |
$0.0 |
| 156 |
Payment gateway status transferred to Shopify without authentication |
$0.0 |
| 157 |
Deleted Post and Administrative Function Access in eCommerce Forum |
$0.0 |
| 158 |
race condition in adding team members |
$0.0 |
| 159 |
(BYPASS) Open redirect and XSS in supporthiring.shopify.com |
$0.0 |
| 160 |
Able to Login deactivated staff account in shopify app mobile |
$0.0 |
| 161 |
Open redirect in bulk edit |
$0.0 |
| 162 |
[ecommerce.shopify.com] Invalidated redirection |
$0.0 |
| 163 |
Unauthenticated Stored XSS on .myshopify.com via checkout page |
$0.0 |
| 164 |
XSS on postal codes |
$0.0 |
| 165 |
Authentication Bypass on monitoring server |
$0.0 |
| 166 |
apps.shopify.com - CSRF token leakage through Google Analytics |
$0.0 |
| 167 |
Stealing users' facebook access tokens - kitcrm.com |
$0.0 |
| 168 |
Stored XSS in blog comments through Shopify API |
$0.0 |
| 169 |
Full access at an internal service of Shopify |
$0.0 |
| 170 |
Stored passive XSS at scheduled posts (kitcrm.com) |
$0.0 |
| 171 |
Stored XSS in [shop].myshopify.com/admin/orders/[id] |
$0.0 |
| 172 |
CSRF in all API endpoints when authenticated using HTTP Authentication |
$0.0 |
| 173 |
Reflected XSS in .myshopify.com through theme preview |
$0.0 |
| 174 |
ShopifyAPI is vulnerable to timing attacks. |
$0.0 |
| 175 |
Stored XSS in *.myshopify.com |
$0.0 |
| 176 |
Redirect in adding advance cash on delivery app |
$0.0 |
| 177 |
API Webhooks Fire And Are Unlisted After Permissions Removed |
$0.0 |
| 178 |
SQL Exception thrown during product import |
$0.0 |
| 179 |
Open Redirect in shopify app URL |
$0.0 |
| 180 |
Setting Arbitrary Cookie at kitcrm.com |
$0.0 |
| 181 |
Stored XSS Deleting Menu Links in the Shopify Admin |
$0.0 |
| 182 |
Shopify admin authentication bypass using partners.shopify.com |
$0.0 |
| 183 |
Cross-site scripting in "Contact customer" form |
$0.0 |
| 184 |
myshopify.com domain takeover |
$0.0 |
| 185 |
Access to Private Photos of Apps in App section(IDOR) |
$0.0 |
| 186 |
XSS *.myshopify.com/collections/vendors?q= |
$0.0 |
| 187 |
Stored XSS in partners dashboard |
$0.0 |
| 188 |
Replace other user files in Inbox messages |
$0.0 |
| 189 |
Potential to abuse pricing errors in saved carts |
$0.0 |
| 190 |
ability to install paid themes for free |
$0.0 |
| 191 |
SSRF in Exchange leads to ROOT access in all instances |
$0.0 |
| 192 |
Publicly Accessible Datadog link |
$0.0 |
| 193 |
Subdomain Takeover - https://competition.shopify.com/ |
$0.0 |
| 194 |
[out-of-scope] toxiproxy: Lack of CSRF protection allows an attacker to gain access to internal Shopify network |
$0.0 |
| 195 |
Potential SSRF and disclosure of sensitive site on *shopifycloud.com |
$0.0 |
| 196 |
Preview bar: Incomplete message origin validation results in XSS |
$0.0 |
| 197 |
Unauthenticated access to Zendesk tickets through athena-flex-production.shopifycloud.com Okta bypass |
$0.0 |
| 198 |
Open redirection in OAuth |
$0.0 |
| 199 |
subdomain Takeover at blog.exchangemarketplace.com |
$0.0 |
| 200 |
[ux.shopify.com] Subdomain takeover |
$0.0 |
| 201 |
Admin bar: Incomplete message origin validation results in XSS |
$0.0 |
| 202 |
App messaging can be hijacked by third-party websites |
$0.0 |
| 203 |
Disclosure of Github Issues |
$0.0 |
| 204 |
Read access to hidden orders,products,customers etc. by limited access Staff member through reference page in Comments (Information disclosure ) |
$0.0 |
| 205 |
Bypass GraphQL rate limit by abusing negative cost queries |
$0.0 |
| 206 |
H1514 Server Side Template Injection in Return Magic email templates? |
$0.0 |
| 207 |
H1514 Shopify API ruby SDK session setup lacks input validation, resulting in SSRF and leakage of client secret |
$0.0 |
| 208 |
H1514 Wholesale customer without checkout permission can complete purchases |
$0.0 |
| 209 |
H1514 Simple phishing using auto-created modal with weak URL-pattern check in incontext_app_link |
$0.0 |
| 210 |
H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing |
$0.0 |
| 211 |
H1514 Session Fixation on multiple shopify-built apps on *.shopifycloud.com and *.shopifyapps.com |
$0.0 |
| 212 |
help.shopify.com Cross Site Scripting |
$0.0 |
| 213 |
Cross Site Scripting at https://app.oberlo.com/ |
$0.0 |
| 214 |
Stored - XSS |
$0.0 |
| 215 |
Reflected XSS |
$0.0 |
| 216 |
DOM XSS via Shopify.API.remoteRedirect |
$0.0 |
| 217 |
H1514 Bypass Wholesale account signup restrictions |
$0.0 |
| 218 |
H1514 Removed Staff members who had "Apps" permission can still modify flow app connections |
$0.0 |
| 219 |
HTML injection in https://interviewing.shopify.com/index.php?candidate= |
$0.0 |
| 220 |
any staff members have the ability to comment in [discounts] he/she can disable comment section it to other staff even the admin of the store |
$0.0 |
| 221 |
██████ DOM XSS via Shopify.API.remoteRedirect |
$0.0 |
| 222 |
Clickjacking in [exchangemarketplace.com] |
$0.0 |
| 223 |
StoreFront API allows for a brute force attack on customer login by not timing out ALL attempts |
$0.0 |
| 224 |
Unauthenticated read and write access to ALL endpoints of a store is possible for removed staff members who had "Apps" permission |
$0.0 |
| 225 |
Bypass report #416983 - Removed Staff members who had "Apps" permission can still modify flow app connections |
$0.0 |
| 226 |
H1514 Stored XSS on Wholesale sales channel allows cross-organization data leakage |
$0.0 |
| 227 |
H1514 Ability to MiTM Shopify PoS Session to Takeover Communications |
$0.0 |
| 228 |
H1514 Extract information about other sites (new sites) through Affiliate/Referral pages |
$0.0 |
| 229 |
H1514 Stored XSS in Return Magic App portal content |
$0.0 |
| 230 |
Removed staff members who had "Manage shops" permission can still create development stores |
$0.0 |
| 231 |
Ability to verify any email address you don't own - accounts.shopify.com |
$0.0 |
| 232 |
Stored XSS in https://productreviews.shopifyapps.com/proxy/v4/reviews/product |
$0.0 |
| 233 |
Shopify Stocky App OAuth Misconfiguration |
$0.0 |
| 234 |
Add store to new partner account without confirming email address. |
$0.0 |
| 235 |
Disclose Any Store products, Files, Purchase Orders Via Email through Shopify Stocky APP |
$0.0 |
| 236 |
H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products |
$0.0 |
| 237 |
Session works after logout from Shopify account |
$0.0 |
| 238 |
H1514 CSRF in Domain transfer allows adding your domain to other user's account |
$0.0 |
| 239 |
xss stored |
$0.0 |
| 240 |
Stored XSS through Facebook Page Connection |
$0.0 |
| 241 |
Session works after logout from Shopify account and password of online store is displayed |
$0.0 |
| 242 |
User with removed manage shops permissions is still able to make changes to a shop |
$0.0 |
| 243 |
Stored XSS on demo app link |
$0.0 |
| 244 |
Open Redirect - www.shopify.com |
$0.0 |
| 245 |
Subdomain Takeover of multiple *.ttcdn.co domains |
$0.0 |
| 246 |
Ability to link a Google account to another staff account/store owner that isn't linked yet |
$0.0 |
| 247 |
Account takeover intercepting magic link for Arrive app |
$0.0 |
| 248 |
GraphQL AdminGenerateSessionPayload is leaked to staff with no permission |
$0.0 |
| 249 |
Stored XSS in my staff name fired in another your internal panel |
$0.0 |
| 250 |
access permission is not revoked even if the email has been deleted or changed on the partner account -partners.shopify- |
$0.0 |
| 251 |
Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation |
$0.0 |
| 252 |
Password reset link not expired at Stocky App |
$0.0 |
| 253 |
Ability to generate shipping labels in another store orders |
$0.0 |
| 254 |
increased privileges on staff account |
$0.0 |
| 255 |
Subdomain takeover in help.tictail.com pointing to Zendesk (a Shopify acquisition) |
$0.0 |
| 256 |
*.shopify.com - Authentication bypass |
$0.0 |
| 257 |
Stocky App Administrator can create a backdoor admin account by using an existing POS User |
$0.0 |
| 258 |
Self XSS in Timeline |
$0.0 |
| 259 |
Script Editor preview token still working with uninstalled application, even for unpublished script |
$0.0 |
| 260 |
XSS Stored via Upload avatar PNG [HTML] File in accounts.shopify.com |
$0.0 |
| 261 |
damage to the timeline so that comment fields cannot be displayed or not available to all members in the store |
$0.0 |
| 262 |
Password protection can be removed for newly created development store |
$0.0 |
| 263 |
Admin web sessions remain active after logout of Shopify ID |
$0.0 |
| 264 |
XSS / SELF XSS |
$0.0 |
| 265 |
Partner's non-verified business email change reflected into Shopify Collaborator Request |
$0.0 |
| 266 |
XSS within Shopify Email App - Admin |
$0.0 |
| 267 |
staff can able to extend shopify trial period without admin permission |
$0.0 |
| 268 |
A staff without export customers permissions can still export customers CSV file |
$0.0 |
| 269 |
Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation |
$0.0 |
| 270 |
CircleCI token in github repo allows for access to sensitive build information |
$0.0 |
| 271 |
xss triggered in "myshopify.com/admin/product" |
$0.0 |
| 272 |
Privilege Escalation in Point Of Sale Application from POS Manage Staff Role to potentially Store Owner |
$0.0 |
| 273 |
Customer's full name disclosure via Shopify Chat (by email lookup) |
$0.0 |
| 274 |
Staff with no permissions can listen to Shopify Ping conversations by registering to its different WebSocket Events |
$0.0 |
| 275 |
Order lookup features of Shopify Chat Application leads to customer orders enumeration due to lack of user input validation |
$0.0 |
| 276 |
Self xss in product reviews |
$0.0 |
| 277 |
XSS stored in the Shopify Email app |
$0.0 |
| 278 |
Exposed Slinky Instance Admin Panel |
$0.0 |
| 279 |
Low privileged user can create high privileged user's KITCRM authorization token and can read and write message to KIT |
$0.0 |
| 280 |
Takeover an account that doesn't have a Shopify ID and more |
$0.0 |
| 281 |
The authentication code when activating 2FA can be used again to log in |
$0.0 |
| 282 |
xss on polaris.shopify.com/demo using postMessage |
$0.0 |
| 283 |
Open Redirect on Login Page of Stocky App |
$0.0 |
| 284 |
Ability to potentially hit internal NGINX locations on *.myshopify.com by making use of the X-Accel-Redirect header via a configured App Proxy |
$0.0 |
| 285 |
Screenshot Service leaks X-ABS-App-Token |
$0.0 |
| 286 |
Informations disclosure - Access to some checkout informations |
$0.0 |
| 287 |
The POS app doesn't revoke the Xauth token |
$0.0 |
| 288 |
[h1-2102] [Yaworski's Broskis] Low privilege user can read POS PINs via graphql and elevate his privilege |
$0.0 |
| 289 |
[h1-2102] Partner's team member with no permission can retrieve services financial data |
$0.0 |
| 290 |
XSS at https://exchangemarketplace.com/blogsearch |
$0.0 |
| 291 |
Low Privileged user can add or remove cash to/from sales register |
$0.0 |
| 292 |
Improper Input Validation on https://oberlo-image-proxy.shopifycloud.com/ |
$0.0 |
| 293 |
Domain Takeover at 3hopify.media |
$0.0 |
| 294 |
Store Deletion or Sell without authentication |
$0.0 |
| 295 |
Blog posts atom feed of a store with password protection can be accessed by anyone |
$0.0 |
| 296 |
Open Redirect in www.shopify.dev Environment |
$0.0 |
| 297 |
Apache Flink Dashboard exposure at https://streaming-sales-model-production.flink.shopifykloud.com |
$0.0 |
| 298 |
Sidekiq dashboard exposed at notary.shopifycloud.com |
$0.0 |
| 299 |
Insufficient session expiration in the com.shopify.ping android app |
$0.0 |
| 300 |
Bypassing HTML filter in "Packing Slip Template" Lead to SSRF to Internal Kubernetes Endpoints |
$0.0 |
| 301 |
Unathorised access to admin endpoint on plus-website-staging5.shopifycloud.com |
$0.0 |
| 302 |
[h1-2102] [Yaworski's Broskis] Suspected overcharge and chargebacks in PoS |
$0.0 |
| 303 |
Staff can use BULK_OPERATIONS_FINISH webhook topic using Graphql without permissions all |
$0.0 |
| 304 |
[h1-2102] Wholesale - CSRF to Generate Invitation Token for a Customer and Move Customer to Invited Status |
$0.0 |
| 305 |
xss is triggered on your web |
$0.0 |
| 306 |
Xss At Shopify Email App |
$0.0 |
| 307 |
Stored XSS at https://linkpop.com |
$0.0 |
| 308 |
Direct Access To admin Dashboard |
$0.0 |
| 309 |
Password reset token leak via "Host header" on third party website |
$0.0 |
| 310 |
[h1-2102] Information disclosure - ShopifyPlus add user displays existing Shopify ID fullname |
$0.0 |
| 311 |
EC2 Takeover at turn.shopify.com |
$0.0 |
| 312 |
[https://shipit-sox-staging.shopifycloud.com] Presence of multiple vulnerabilities present in Ruby On Rails |
$0.0 |
| 313 |
[h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserRole |
$0.0 |
| 314 |
User with no Develop apps permission can Uninstall Custom App |
$0.0 |
| 315 |
After changing the storefront password, the preview link is still valid |
$0.0 |
| 316 |
Improper deep link validation |
$0.0 |
| 317 |
[h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserTfaEnforcement |
$0.0 |
| 318 |
Github base action takeover which is used in github.com/Shopify/unity-buy-sdk |
$0.0 |
| 319 |
One Click XSS in [www.shopify.com] |
$0.0 |
| 320 |
store internal email disclosed through shopify-data-exporter |
$0.0 |
| 321 |
XSS seems to work again after change to linkpop at https://linkpop.com/testnaglinagli |
$0.0 |
| 322 |
Self XSS in https://linkpop.com/dashboard/admin |
$0.0 |
| 323 |
Subdomain Takeover at course.oberlo.com |
$0.0 |
| 324 |
[h1-2102] [Oberlo] Least privileged user can cancel account owner's subscription via POST on /payments/subscribe |
$0.0 |
| 325 |
Non-store owners can transfer Shopify-managed domain to another domain provider |
$0.0 |
| 326 |
Staff without Manage Themes permissions can update themes |
$0.0 |
| 327 |
Blind Stored XSS in shopify internal Parquet Viewer |
$0.0 |
| 328 |
Production Key and Data Found on Subdomain No Longer Operated by Shopify / Dangling DNS |
$0.0 |
| 329 |
Exposure of shopify employee summit page allows anonymous user to place orders for free books |
$0.0 |