XSS in Draft Orders in Timeline i SHOPIFY Admin Site!
Unknown
Vulnerability Details
1. Create an Draft with a product named "><img src=x onerror=prompt('XSSP')
2. Send the Draft to someone and complete the order.
Order is shown as Completed Drafts as order.png
3. Create a timeline and reference this Draft. As soon as you click POST you will be XSSEd (xss.png)
Thanks
Actions
View on HackerOneReport Stats
- Report ID: 117449
- State: Closed
- Substate: resolved
- Upvotes: 7