[h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserRole
👉 https://hackerone.com/reports/1084638
🔹 Severity: Medium | 💰 950 USD
🔹 Reported To: Shopify
🔹 Reported By: #ramsexy
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 7:06pm (UTC)
👉 https://hackerone.com/reports/1084638
🔹 Severity: Medium | 💰 950 USD
🔹 Reported To: Shopify
🔹 Reported By: #ramsexy
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 7:06pm (UTC)
User with no Develop apps permission can Uninstall Custom App
👉 https://hackerone.com/reports/1466855
🔹 Severity: Low | 💰 600 USD
🔹 Reported To: Shopify
🔹 Reported By: #ayyoub
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 8:33pm (UTC)
👉 https://hackerone.com/reports/1466855
🔹 Severity: Low | 💰 600 USD
🔹 Reported To: Shopify
🔹 Reported By: #ayyoub
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 8:33pm (UTC)
[h1-2102] [PLUS] User with Store Management Permission can Make enforceSamlOrganizationDomains call - that should be limited to User Management Only
👉 https://hackerone.com/reports/1084939
🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:05pm (UTC)
👉 https://hackerone.com/reports/1084939
🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:05pm (UTC)
[h1-2102] [Plus] User with Store Management Permission can Make convertUsersFromSaml/convertUsersToSaml - that should be limited to User Management
👉 https://hackerone.com/reports/1084904
🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:05pm (UTC)
👉 https://hackerone.com/reports/1084904
🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:05pm (UTC)
[h1-2102] [Plus] User with Store Management Permission can Make changeDomainEnforcementState - that should be limited to User Management Only
👉 https://hackerone.com/reports/1084892
🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:05pm (UTC)
👉 https://hackerone.com/reports/1084892
🔹 Severity: Medium | 💰 1,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #ngalog
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:05pm (UTC)
Open redirect by the parameter redirectUri in the URL
👉 https://hackerone.com/reports/1250758
🔹 Severity: Low
🔹 Reported To: BlackRock
🔹 Reported By: #mrccrqr
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:10pm (UTC)
👉 https://hackerone.com/reports/1250758
🔹 Severity: Low
🔹 Reported To: BlackRock
🔹 Reported By: #mrccrqr
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:10pm (UTC)
After changing the storefront password, the preview link is still valid
👉 https://hackerone.com/reports/1370749
🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #tomorrow_future
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:38pm (UTC)
👉 https://hackerone.com/reports/1370749
🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #tomorrow_future
🔹 State: 🟢 Resolved
🔹 Disclosed: April 21, 2022, 10:38pm (UTC)
Bypass of fix #1370749
👉 https://hackerone.com/reports/1489077
🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #encryptsaan123
🔹 State: 🟢 Resolved
🔹 Disclosed: April 22, 2022, 12:41am (UTC)
👉 https://hackerone.com/reports/1489077
🔹 Severity: Low | 💰 900 USD
🔹 Reported To: Shopify
🔹 Reported By: #encryptsaan123
🔹 State: 🟢 Resolved
🔹 Disclosed: April 22, 2022, 12:41am (UTC)
Attacker can bypass authentication build on ingress external auth (`nginx.ingress.kubernetes.io/auth-url`)
👉 https://hackerone.com/reports/1357948
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #thisbug
🔹 State: ⚪️ Informative
🔹 Disclosed: April 23, 2022, 7:07am (UTC)
👉 https://hackerone.com/reports/1357948
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Kubernetes
🔹 Reported By: #thisbug
🔹 State: ⚪️ Informative
🔹 Disclosed: April 23, 2022, 7:07am (UTC)
Renderers can obtain access to random bluetooth device without permission
👉 https://hackerone.com/reports/1519099
🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #palmeral
🔹 State: 🟢 Resolved
🔹 Disclosed: April 23, 2022, 5:23pm (UTC)
👉 https://hackerone.com/reports/1519099
🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #palmeral
🔹 State: 🟢 Resolved
🔹 Disclosed: April 23, 2022, 5:23pm (UTC)
--libcurl code injection via trigraphs
👉 https://hackerone.com/reports/1548535
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: ⚪️ Informative
🔹 Disclosed: April 24, 2022, 10:07pm (UTC)
👉 https://hackerone.com/reports/1548535
🔹 Severity: Low
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: ⚪️ Informative
🔹 Disclosed: April 24, 2022, 10:07pm (UTC)
CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 bypass if string not 32 chars
👉 https://hackerone.com/reports/1549461
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🔴 N/A
🔹 Disclosed: April 25, 2022, 9:05am (UTC)
👉 https://hackerone.com/reports/1549461
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🔴 N/A
🔹 Disclosed: April 25, 2022, 9:05am (UTC)
CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 comparison disaster
👉 https://hackerone.com/reports/1549435
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🔴 N/A
🔹 Disclosed: April 25, 2022, 10:58am (UTC)
👉 https://hackerone.com/reports/1549435
🔹 Severity: Medium
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🔴 N/A
🔹 Disclosed: April 25, 2022, 10:58am (UTC)
Xss triggered in Your-store.myshopify.com/myshopify.com/admin/apps/shopify-email/editor/****
👉 https://hackerone.com/reports/1472471
🔹 Severity: Medium | 💰 2,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #danishalkatiri
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 11:01am (UTC)
👉 https://hackerone.com/reports/1472471
🔹 Severity: Medium | 💰 2,900 USD
🔹 Reported To: Shopify
🔹 Reported By: #danishalkatiri
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 11:01am (UTC)
Visibility Robots.txt file
👉 https://hackerone.com/reports/1450014
🔹 Severity: No Rating
🔹 Reported To: Krisp
🔹 Reported By: #razahack
🔹 State: 🟤 Duplicate
🔹 Disclosed: April 25, 2022, 12:20pm (UTC)
👉 https://hackerone.com/reports/1450014
🔹 Severity: No Rating
🔹 Reported To: Krisp
🔹 Reported By: #razahack
🔹 State: 🟤 Duplicate
🔹 Disclosed: April 25, 2022, 12:20pm (UTC)
Force User to Accept Attacker's invite [ Restrict user to create account]
👉 https://hackerone.com/reports/1420070
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Krisp
🔹 Reported By: #sammam
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 12:27pm (UTC)
👉 https://hackerone.com/reports/1420070
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Krisp
🔹 Reported By: #sammam
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 12:27pm (UTC)
Local file disclosure through SSRF at next.nutanix.com
👉 https://hackerone.com/reports/471520
🔹 Severity: High
🔹 Reported To: Nutanix
🔹 Reported By: #tosun
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 10:27pm (UTC)
👉 https://hackerone.com/reports/471520
🔹 Severity: High
🔹 Reported To: Nutanix
🔹 Reported By: #tosun
🔹 State: 🟢 Resolved
🔹 Disclosed: April 25, 2022, 10:27pm (UTC)
RCE via exposed JMX server on jabber.37signals.com/jabber.basecamp.com
👉 https://hackerone.com/reports/1456063
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Basecamp
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: April 26, 2022, 7:01am (UTC)
👉 https://hackerone.com/reports/1456063
🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Basecamp
🔹 Reported By: #ian
🔹 State: 🟢 Resolved
🔹 Disclosed: April 26, 2022, 7:01am (UTC)
Stored XSS in "product type" field executed via product filters
👉 https://hackerone.com/reports/1404770
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: April 26, 2022, 4:11pm (UTC)
👉 https://hackerone.com/reports/1404770
🔹 Severity: Medium | 💰 500 USD
🔹 Reported To: Judge.me
🔹 Reported By: #glister
🔹 State: 🟢 Resolved
🔹 Disclosed: April 26, 2022, 4:11pm (UTC)
SQL Injection on https://soa-accp.glbx.tva.gov/ via "/api/" path - VI-21-015
👉 https://hackerone.com/reports/1125752
🔹 Severity: Critical
🔹 Reported To: Tennessee Valley Authority
🔹 Reported By: #yassinek3ch
🔹 State: 🟢 Resolved
🔹 Disclosed: April 26, 2022, 7:33pm (UTC)
👉 https://hackerone.com/reports/1125752
🔹 Severity: Critical
🔹 Reported To: Tennessee Valley Authority
🔹 Reported By: #yassinek3ch
🔹 State: 🟢 Resolved
🔹 Disclosed: April 26, 2022, 7:33pm (UTC)
CVE-2022-27774: Credential leak on redirect
👉 https://hackerone.com/reports/1543773
🔹 Severity: High
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 27, 2022, 9:58am (UTC)
👉 https://hackerone.com/reports/1543773
🔹 Severity: High
🔹 Reported To: curl
🔹 Reported By: #nyymi
🔹 State: 🟢 Resolved
🔹 Disclosed: April 27, 2022, 9:58am (UTC)