Self-XSS in password reset functionality
Low
Vulnerability Details
Hi,
When I opened this domain of yours,
https://accounts.shopify.com/password-reset/new
I just put the following text into email address box,
<h1 style="color:blue;">█████</h1>
it change the colour of the text.
Well my point here is that if you could inject HTML, you might be able to add a <form> tag
to the page.
I also upload the picture as a proof.
Peace.
Actions
View on HackerOneReport Stats
- Report ID: 286667
- State: Closed
- Substate: resolved
- Upvotes: 30