Reflected XSS on $Any$.myshopify.com/admin
High
Vulnerability Details
# Description :
Hi,
I have found a reflected cross site scripting vulnerability in <any>.myshopify.com/admin through return_url parameter .
# Step to reproduce :
1-Go to https://<Any>.myshopify.com/admin/authenticate?return_url=javascript:alert(100)//
2-Click on reload this page
3-Xss alert message
## Impact
Xss attack in <Any>.myshopify.com/admin
Actions
View on HackerOneReport Stats
- Report ID: 422707
- State: Closed
- Substate: resolved
- Upvotes: 58