Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline
Unknown
Vulnerability Details
Hi!
I would like to report XSS at Shopify Admin Interface in Orders TImeline, in line Usename processes this order at NAME
NAME is not sanitized and if this is set to <img src=x onerror=prompt(1)> XSS will happen
***POC***
Visit
https://whitehat-3.myshopify.com/admin/orders/2253786753
or
https://whitehat-3.myshopify.com/admin/orders/2253753665
XSS will trigger!
Thanks!
Actions
View on HackerOneReport Stats
- Report ID: 166887
- State: Closed
- Substate: resolved
- Upvotes: 12