An administrator without the 'Settings' permission is able to see payment gateways

Disclosed: 2015-11-18 20:58:31 By brakhane To shopify

Unknown

Vulnerability Details

Description ==== An administrator who lacks the 'Settings' permission is not able to see the shops payment gateways through the UI. But the endpoint `shop.myshopify.com/admin/payment_gateways.json` does disclose payment gateways to the unprivileged user. Mitigation ==== Restrict the endpoint in question to be only accessible with the correct permission set.

Actions

View on HackerOne

Report Stats

Report ID: 96908
State: Closed
Substate: resolved
Upvotes: 3

An administrator without the 'Settings' permission is able to see payment gateways

Vulnerability Details

Actions

Report Stats

Share this report