Shopify


346 total issues disclosed

$668,937 total paid publicly


Most disclosed (50 disclosures) — Cross-site Scripting (XSS) - Generic

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Bypass a fix for report #708013 Brute Force scaramouche31 Medium 2021-12-07
xss is triggered on your web Cross-site Scripting (XSS) - DOM jaka_tingkir Medium 2021-12-06
[h1-2102] Wholesale - CSRF to Generate Invitation Token for a Customer and Move Customer to Invited Status Cross-Site Request Forgery (CSRF) rhynorater Low 2021-12-06
Staff can use BULK_OPERATIONS_FINISH webhook topic using Graphql without permissions all Privilege Escalation yinvi777 Medium 2021-12-04
Unathorised access to admin endpoint on plus-website-staging5.shopifycloud.com Improper Access Control - Generic j0j0 Medium 2021-12-03
Ability to add address without being an admin or staff in the store via wholesale store None supplied hydraxanon82 Low 2021-12-03
[h1-2102] [Yaworski's Broskis] Suspected overcharge and chargebacks in PoS Business Logic Errors c0rv4x Low 2021-12-03
Bypassing HTML filter in "Packing Slip Template" Lead to SSRF to Internal Kubernetes Endpoints None supplied cthulhufhtagn Low 2021-12-02
Insufficient session expiration in the **com.shopify.ping** android app Insufficient Session Expiration fr4via Low 2021-11-26
Sidekiq dashboard exposed at notary.shopifycloud.com Information Disclosure youstin Medium 2021-11-25
A non-privileged user may create an admin account in Stocky Privilege Escalation stapia Medium 2021-11-25
Staff who only have apps and channels permission can do a takeover account at the wholesale store (Bypass get invitation link) None supplied hydraxanon82 Medium 2021-11-21
Apache Flink Dashboard exposure at https://streaming-sales-model-production.flink.shopifykloud.com Information Disclosure savik None 2021-11-18
Open Redirect in www.shopify.dev Environment Open Redirect beerboy_ankit Medium 2021-11-18
Blog posts atom feed of a store with password protection can be accessed by anyone Information Disclosure xenx Medium 2021-11-08
Senseitive data Related to Shopify Host -> https://shopify.zendesk.com/ Cleartext Storage of Sensitive Information sam_exploit None 2021-11-08
Shopify.com Web Cache Deception vulnerability leads to personal information and CSRF tokens leakage Violation of Secure Design Principles golim Low 2021-10-21
Domain Takeover at 3hopify.media Privilege Escalation m7mdharoun None 2021-10-21
Store Deletion or Sell without authentication Improper Authentication - Generic fr4via Low 2021-10-21
Create free Shopify application credits. Improper Access Control - Generic jmp_35p Medium 2021-09-10
Improper Input Validation on https://oberlo-image-proxy.shopifycloud.com/ None supplied riramar None 2021-08-16
Github access token exposure None supplied augustozanellato Critical 2021-07-26
your-store.myshopify.com preview link is leak on third party website lead to preview all action from store owner Without store Password. Improper Authentication - Generic danishalkatiri Medium 2021-07-12
Removing parts of URL from jQuery request exposes links for download of Paid Digital Assets of the most recent Order placed by anyone on the store! None supplied superbsic Medium 2021-07-08
Add new managed stores without permission Improper Access Control - Generic jmp_35p Medium 2021-07-08
Low Privileged user can add or remove cash to/from sales register Privilege Escalation sandeep_rj49 Low 2021-06-16
Add new development stores without permission Improper Access Control - Generic jmp_35p Medium 2021-06-04
XSS at https://exchangemarketplace.com/blogsearch Cross-site Scripting (XSS) - Generic fatal0 Medium 2021-04-09
https://themes.shopify.com::: Host header web cache poisoning lead to DoS Denial of Service g4mm4 Medium 2021-04-08
[h1-2102] FQDN takeover on all Shopify wholesale customer domains by trailing dot (RFC 1034) Incorrect Permission Assignment for Critical Resource intidc Medium 2021-03-25
Informations disclosure - Access to some checkout informations None supplied francisbeaudoin Medium 2021-03-13
Low Privileged Staff Member Can Export Billing Charges Improper Access Control - Generic ash_nz Medium 2020-11-26
[Information Disclosure] Amazon S3 Bucket of Shopify Ping (iOS) have public access of other users image Information Disclosure vocotnhan Medium 2020-11-21
Self xss in product reviews Cross-site Scripting (XSS) - Generic tomorrow_future No rating 2020-11-19
Staff with no permissions can listen to Shopify Ping conversions by registering to its different WebSocket Events Information Disclosure francisbeaudoin No rating 2020-11-19
Staff Member can Get POS Access Without User Interaction None supplied ngalog Medium 2020-11-19
Order lookup features of Shopify Chat Application leads to customer orders enumeration due to lack of user input validation None supplied francisbeaudoin No rating 2020-11-19
Privilege Escalation in Point Of Sale Application from POS Manage Staff Role to potentially Store Owner None supplied francisbeaudoin Medium 2020-11-19
Customer's full name disclosure via Shopify Chat (by email lookup) Information Disclosure francisbeaudoin No rating 2020-11-19
XSS stored in the Shopify Email app Cross-site Scripting (XSS) - Stored tomorrow_future No rating 2020-11-19
Staff with no permissions can listen to Shopify Ping conversations by registering to its different WebSocket Events Information Disclosure francisbeaudoin No rating 2020-11-19
authenticity token not verfied leads to change business name Cross-Site Request Forgery (CSRF) cforu Medium 2020-10-23
A staff member with no permissions can edit Store Customer Email Insecure Direct Object Reference (IDOR) ash_nz Medium 2020-10-22
User sensitive information disclosure Privacy Violation a_yang Medium 2020-10-22
Undocumented `fileCopy` GraphQL API Improper Access Control - Generic ash_nz Medium 2020-10-22
Self XSS Cross-site Scripting (XSS) - Generic wannacry0x01 No rating 2020-09-17
Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation Privilege Escalation say_ch33se Critical 2020-09-15
Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation Privilege Escalation say_ch33se Critical 2020-09-15
CircleCI token in github repo allows for access to sensitive build information Information Disclosure dwimmerlaik No rating 2020-09-15
staff can able to extend shopify trial period without admin permission Improper Access Control - Generic risinghunter Low 2020-09-15
xss triggered in "myshopify.com/admin/product" None supplied jaka_tingkir High 2020-09-15
A staff without export customers permissions can still export customers CSV file Improper Access Control - Generic ryat No rating 2020-09-15
xss triggered in "myshopify.com/admin/product" None supplied jaka_tingkir High 2020-09-15
Partner's non-verified business email change reflected into Shopify Collaborator Request Improper Access Control - Generic francisbeaudoin No rating 2020-09-14
XSS within Shopify Email App - Admin Cross-site Scripting (XSS) - Stored francisbeaudoin No rating 2020-09-14
XSS / SELF XSS Cross-site Scripting (XSS) - Generic whoami991 Low 2020-09-14
Staff member with no permission can delete POS staff from account settings Privilege Escalation kunal94 Low 2020-09-14
Password protection can be removed for newly created development store None supplied francisbeaudoin No rating 2020-09-14
Admin web sessions remain active after logout of Shopify ID Insufficient Session Expiration jaka_tingkir No rating 2020-09-14
Cache poisoning via X-Forwarded-Host in www.shopify.com/partners/blog Improper Neutralization of HTTP Headers for Scripting Syntax dakitu Low 2020-09-11
damage to the timeline so that comment fields cannot be displayed or not available to all members in the store None supplied jaka_tingkir No rating 2020-09-09
Takeover an account that doesn't have a Shopify ID and more None supplied francisbeaudoin Critical 2020-09-02
Takeover an account that doesn't have a Shopify ID and more None supplied francisbeaudoin Critical 2020-09-02
XSS Stored via Upload avatar PNG [HTML] File in accounts.shopify.com Violation of Secure Design Principles zerox4 Low 2020-08-30
Ability to publish a paid theme without purchasing it. Improper Access Control - Generic saltymermaid Low 2020-08-27
Ability to publish a paid theme without purchasing it. Improper Access Control - Generic saltymermaid Low 2020-08-27
Path Traversal in App Proxy Path Traversal ngalog Medium 2020-08-25
Self XSS in Timeline Cross-site Scripting (XSS) - Generic ryat No rating 2020-08-25
Script Editor preview token still working with uninstalled application, even for unpublished script None supplied francisbeaudoin No rating 2020-08-25
Ability to see password protected content by bypassing the password page of shopify preview URL for new development stores (as of August 17, 2020) Information Disclosure saltymermaid Medium 2020-08-25
xss stored in https://your store.myshopify.com/admin/ Cross-site Scripting (XSS) - Stored zwail Low 2020-08-24
STAFF "No-Permissions" on the Store can retrieve the details Order via exchangeReceiptSend Information Disclosure langduvnsec Medium 2020-08-24
Subdomain takeover in help.tictail.com pointing to Zendesk (a Shopify acquisition) Privilege Escalation meow-hacker-meow Medium 2020-08-24
Stocky App Administrator can create a backdoor admin account by using an existing POS User None supplied francisbeaudoin No rating 2020-08-24
increased privileges on staff account None supplied jaka_tingkir Medium 2020-08-24
*.shopify.com - Authentication bypass None supplied nooblife No rating 2020-08-24
Password reset link not expired at Stocky App Improper Access Control - Generic ayyoub No rating 2020-08-19
Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation Information Disclosure tolo7010 No rating 2020-08-19
Ability to generate shipping labels in another store orders Insecure Direct Object Reference (IDOR) francisbeaudoin No rating 2020-08-19
Blind Stored XSS Via Staff Name Cross-site Scripting (XSS) - Stored rioncool22 High 2020-08-18
OrderListInitial leaks order details Information Disclosure sreeju_kc Medium 2020-08-18
access permission is not revoked even if the email has been deleted or changed on the partner account -partners.shopify- None supplied jaka_tingkir Medium 2020-08-18
Get analytics token using only apps permission Information Disclosure jmp_35p Medium 2020-08-18
Stored XSS in my staff name fired in another your internal panel Cross-site Scripting (XSS) - Stored cyber__sec High 2020-07-30
Stored XSS in my staff name fired in another your internal panel Cross-site Scripting (XSS) - Stored cyber__sec High 2020-07-29
GraphQL AdminGenerateSessionPayload is leaked to staff with no permission None supplied hiffley High 2020-07-16
Account takeover intercepting magic link for Arrive app Insufficiently Protected Credentials nsl182 Low 2020-07-15
Ability to link a Google account to another staff account/store owner that isn't linked yet None supplied francisbeaudoin No rating 2020-07-15
user with no draft order permission can still perform action on draft order's in stocky app (idor) Improper Authentication - Generic imranhudaa No rating 2020-07-15
IDOR on stocky application-Low Stock-Varient-Settings-Columns Insecure Direct Object Reference (IDOR) sreeju_kc Medium 2020-07-14
Subdomain Takeover of multiple *.ttcdn.co domains Violation of Secure Design Principles priyanshuxo Low 2020-07-14
Open Redirect - www.shopify.com Open Redirect zonduu Low 2020-07-14
User with removed manage shops permissions is still able to make changes to a shop Improper Access Control - Generic flashdisk Medium 2020-06-12
Stored XSS on demo app link Cross-site Scripting (XSS) - Stored flashdisk Medium 2020-06-12
Session works after logout from Shopify account and password of online store is displayed None supplied danerh Low 2020-04-27
None permission staff member can identify installed application and products attached to it Information Disclosure sreeju_kc Low 2020-04-21
CSRF on connecting Paypal as Payment Provider Cross-Site Request Forgery (CSRF) ngalog Medium 2020-04-10
Stored XSS through Facebook Page Connection Cross-site Scripting (XSS) - Stored boredengineer21 Low 2020-04-04
xss stored Cross-site Scripting (XSS) - Stored davscol94 No rating 2020-04-03
Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO None supplied ngalog Critical 2020-04-01
[Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation None supplied ngalog Critical 2020-04-01
[Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation None supplied ngalog Critical 2020-04-01
Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO None supplied ngalog Critical 2020-04-01
Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation None supplied ngalog Medium 2020-04-01
Session works after logout from Shopify account Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') cryptographer Low 2020-03-30
H1514 CSRF in Domain transfer allows adding your domain to other user's account Cross-Site Request Forgery (CSRF) rijalrojan High 2020-03-30
Timeline Editor Self-XSS (Previous Fix #738072 Incomplete) Cross-site Scripting (XSS) - Reflected mosuan Low 2020-03-16
H1514 Deanonymizing Exchange Marketplace private listings Information Disclosure fisher Medium 2020-03-10
H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products Command Injection - Generic fransrosen Medium 2020-02-06
H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products Command Injection - Generic fransrosen Medium 2020-02-06
H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products Command Injection - Generic fransrosen Medium 2020-02-06
Disclose Any Store products, Files, Purchase Orders Via Email through Shopify Stocky APP Privilege Escalation hackrzvijay No rating 2020-02-02
Stored XSS in Shopify Chat Cross-site Scripting (XSS) - Stored mosuan Low 2019-12-23
Shopify Stocky App OAuth Misconfiguration Privilege Escalation vulnh0lic Medium 2019-12-11
Shopify Stocky App OAuth Misconfiguration Privilege Escalation vulnh0lic Medium 2019-12-11
Stored XSS in private message Cross-site Scripting (XSS) - Stored mosuan Medium 2019-11-08
Ability to verify any email address you don't own - accounts.shopify.com Violation of Secure Design Principles zombiehelp54 No rating 2019-11-08
H1514 Ability to MiTM Shopify PoS Session to Takeover Communications Business Logic Errors teknogeek Medium 2019-11-04
H1514 DOM XSS on checkout.shopify.com via postMessage handler on /:id/sandbox/google_maps Cross-site Scripting (XSS) - DOM bored-engineer Medium 2019-11-04
Reflective Cross-site Scripting via Newsletter Form Cross-site Scripting (XSS) - Reflected dostoevskylabs High 2019-10-11
Unauthenticated read and write access to ALL endpoints of a store is possible for removed staff members who had "Apps" permission Client-Side Enforcement of Server-Side Security mariogh Medium 2019-10-10
██████ DOM XSS via Shopify.API.remoteRedirect Cross-site Scripting (XSS) - DOM yxw21 Low 2019-09-15
XSS while logging using Google Cross-site Scripting (XSS) - Reflected ashketchum No rating 2019-09-11
Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile) Improper Authentication - Generic tems Low 2019-08-14
STAFF member with NO Explicit permissions can view `ActivityFeed` via GraphQL Improper Access Control - Generic h13- Low 2019-06-18
H1514 Removed Staff members who had "Apps" permission can still modify flow app connections Improper Authorization zombiehelp54 Medium 2019-06-14
XSS on services.shopify.com Cross-site Scripting (XSS) - Stored encryptsaan123 Low 2019-06-14
Unpublished Product Images can be disclosed Improper Access Control - Generic h13- Low 2019-06-12
H1514 Bypass Wholesale account signup restrictions Improper Access Control - Generic cablej Medium 2019-06-07
H1514 [*.(my)shopify.com] - Viewing Password Protected Content Improper Authentication - Generic corb3nik High 2019-05-22
H1514 Session Fixation on multiple shopify-built apps on *.shopifycloud.com and *.shopifyapps.com Session Fixation filedescriptor No rating 2019-04-25
H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing Cross-site Scripting (XSS) - DOM filedescriptor High 2019-04-17
H1514 Server Side Template Injection in Return Magic email templates? Code Injection zombiehelp54 No rating 2019-04-04
Reflected XSS on $Any$.myshopify.com/admin Cross-site Scripting (XSS) - Reflected dr_dragon High 2018-11-13
PII disclosure -- Past team members & their email ID(personal email) can be viewed by Staff member with no permissions on Partner Dashboard Information Disclosure h13- Low 2018-11-08
Disclosure of Github Issues Information Disclosure rijalrojan Medium 2018-11-08
Stored xss Cross-site Scripting (XSS) - Stored dr_dragon High 2018-11-07
App messaging can be hijacked by third-party websites Violation of Secure Design Principles palant Medium 2018-11-07
Admin bar: Incomplete message origin validation results in XSS Cross-site Scripting (XSS) - DOM palant Medium 2018-11-07
[ux.shopify.com] Subdomain takeover Improper Access Control - Generic bobrov Medium 2018-10-19
Race condition at create new Location Business Logic Errors zhurig Low 2018-10-05
subdomain Takeover at blog.exchangemarketplace.com None supplied m7mdharoun Low 2018-10-01
Stored XSS on buy button Cross-site Scripting (XSS) - Stored tony_tsep Low 2018-09-29
Open redirection in OAuth Open Redirect dr_dragon Low 2018-09-24
Unauthenticated access to Zendesk tickets through athena-flex-production.shopifycloud.com Okta bypass Improper Authentication - Generic rijalrojan Critical 2018-09-19
From full-access account to Account Owner Privilege Escalation rms No rating 2018-09-18
Stored XSS on activity Cross-site Scripting (XSS) - Stored shazad_sadiq High 2018-08-14
Preview bar: Incomplete message origin validation results in XSS Cross-site Scripting (XSS) - DOM palant Medium 2018-07-26
Potential SSRF and disclosure of sensitive site on *shopifycloud.com Server-Side Request Forgery (SSRF) rijalrojan Low 2018-07-19
[out-of-scope] toxiproxy: Lack of CSRF protection allows an attacker to gain access to internal Shopify network Server-Side Request Forgery (SSRF) bored-engineer Medium 2018-07-11
Subdomain Takeover - https://competition.shopify.com/ Privilege Escalation llt4l Medium 2018-06-19
Improper access check by Kit leads to controlling attributes of store & getting analytics by deleted Store member via dual messenger A/C Improper Access Control - Generic tbh Low 2018-06-15
Publicly Accessible Datadog link Information Disclosure rijalrojan Medium 2018-06-15
SSRF in Exchange leads to ROOT access in all instances Server-Side Request Forgery (SSRF) 0xacb Medium 2018-05-23
ability to install paid themes for free Improper Access Control - Generic flashdisk Medium 2018-05-16
Potential to abuse pricing errors in saved carts Business Logic Errors richardf Medium 2018-05-02
Replace other user files in Inbox messages Insecure Direct Object Reference (IDOR) rijalrojan Medium 2018-05-01
Stored XSS in partners dashboard Cross-site Scripting (XSS) - Stored bastianwelfrid Low 2018-04-18
Order notifications being sent for a deactivated staff account Improper Authorization newbie_101 Low 2018-04-12
XSS *.myshopify.com/collections/vendors?q= Cross-site Scripting (XSS) - Reflected gromoza Medium 2018-04-08
XSS on "widgets.shopifyapps.com" via "stripping" attribute and "shop" parameter Cross-site Scripting (XSS) - DOM bored-engineer None 2018-04-03
Access to Private Photos of Apps in App section(IDOR) Insecure Direct Object Reference (IDOR) vijay_kumar1110 Medium 2018-03-05
myshopify.com domain takeover Business Logic Errors 0xacb Medium 2018-02-27
Ability to bypass partner email confirmation to take over any store given an employee email Time-of-check Time-of-use (TOCTOU) Race Condition cache-money Critical 2018-02-07
Cross-site scripting in "Contact customer" form Cross-site Scripting (XSS) - Stored protector47 Low 2017-12-19
Self-XSS in password reset functionality Cross-site Scripting (XSS) - Reflected itszeeshan Low 2017-11-10
stored xss in invited team member via email parameter Cross-site Scripting (XSS) - Stored coldd Medium 2017-11-03
Shopify admin authentication bypass using partners.shopify.com Improper Authorization uzsunny9 Critical 2017-09-28
Shopify admin authentication bypass using partners.shopify.com Improper Authorization uzsunny Critical 2017-09-28
Tinymce 2.4.0 Cross-site Scripting (XSS) - DOM jelmer Medium 2017-09-26
SVG Server Side Request Forgery (SSRF) Server-Side Request Forgery (SSRF) floyd Low 2017-09-22
Stored XSS Deleting Menu Links in the Shopify Admin Cross-site Scripting (XSS) - Stored geeklegend Medium 2017-09-08
Setting Arbitrary Cookie at kitcrm.com None supplied dhaval None 2017-08-23
XSS in my.shopify.com in widget Cross-site Scripting (XSS) - Generic xssa Medium 2017-07-21
Open Redirect in shopify app URL Open Redirect pappan Low 2017-07-21
IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop Insecure Direct Object Reference (IDOR) inhibitor181 Medium 2017-07-19
SQL Exception thrown during product import Information Exposure Through an Error Message pappan Medium 2017-07-12
XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications Cross-site Scripting (XSS) - Stored bored-engineer High 2017-06-28
API Webhooks Fire And Are Unlisted After Permissions Removed Improper Access Control - Generic yaworsk Low 2017-06-27
Redirect in adding advance cash on delivery app Open Redirect ashish_r_padelkar Low 2017-06-27
Stored XSS in *.myshopify.com Cross-site Scripting (XSS) - Stored jamesclyde Medium 2017-06-27
ShopifyAPI is vulnerable to timing attacks. Cryptographic Issues - Generic edoverflow Low 2017-06-23
Shopify GitHub Login and Password exposed all private source code might be available. Information Disclosure todayisnew No rating 2017-06-08
XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app Cross-site Scripting (XSS) - Generic bored-engineer High 2017-06-01
XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog" Cross-site Scripting (XSS) - DOM bored-engineer No rating 2017-05-30
Reflected XSS in <any>.myshopify.com through theme preview Cross-site Scripting (XSS) - Reflected zombiehelp54 No rating 2017-05-29
XSS in $shop$.myshopify.com/admin/ via "Button Objects" in malicious app Cross-site Scripting (XSS) - Generic bored-engineer High 2017-05-22
CSRF in all API endpoints when authenticated using HTTP Authentication Cross-Site Request Forgery (CSRF) zombiehelp54 No rating 2017-03-28
Stored XSS in [shop].myshopify.com/admin/orders/[id] Cross-site Scripting (XSS) - Generic zombiehelp54 No rating 2017-03-28
Stored passive XSS at scheduled posts (kitcrm.com) Cross-site Scripting (XSS) - Reflected skavans Medium 2017-03-28
Full access at an internal service of Shopify Information Disclosure jamesclyde No rating 2017-03-28
Stored XSS in blog comments through Shopify API Cross-site Scripting (XSS) - Generic prakharprasad Medium 2017-03-16
Stealing users' facebook access tokens - kitcrm.com Information Disclosure zombiehelp54 No rating 2017-03-15
Subdomain takeover on s3.shopify.com Cross-site Scripting (XSS) - Generic avlidienbrunn No rating 2017-02-28
apps.shopify.com - CSRF token leakage through Google Analytics Cross-Site Request Forgery (CSRF) zombiehelp54 No rating 2017-02-07
Authentication Bypass on monitoring server Improper Authentication - Generic jamesclyde Low 2017-01-11
XSS on postal codes Cross-site Scripting (XSS) - Generic pappan Medium 2017-01-11
XSS on manually entering Postal codes Cross-site Scripting (XSS) - Generic prem1807 Medium 2016-12-17
Misconfiguration in Two Factor Authorisation None supplied dhaval No rating 2016-12-17
Unauthenticated Stored XSS on <any>.myshopify.com via checkout page Cross-site Scripting (XSS) - Generic zombiehelp54 No rating 2016-12-16
Stored XSS at 'Buy Button' page Cross-site Scripting (XSS) - Generic zuh4n No rating 2016-12-16
[ecommerce.shopify.com] Invalidated redirection Open Redirect shailesh4594 Low 2016-12-04
Open redirect in bulk edit Open Redirect zombiehelp54 No rating 2016-12-04
Able to Login deactivated staff account in shopify app mobile Privilege Escalation clarckowen_ No rating 2016-11-29
(BYPASS) Open redirect and XSS in supporthiring.shopify.com Cross-Site Request Forgery (CSRF) jamesclyde No rating 2016-11-21
race condition in adding team members Violation of Secure Design Principles flashdisk Low 2016-11-10
password less login token expiration issue Improper Authentication - Generic satishb3 No rating 2016-10-19
Add signature to transactions without any permission Improper Authentication - Generic supernatural No rating 2016-10-07
Deleted Post and Administrative Function Access in eCommerce Forum Privilege Escalation ysx No rating 2016-10-05
Payment gateway status transferred to Shopify without authentication Cross-Site Request Forgery (CSRF) ishwar_prasad_bhat No rating 2016-09-27
[apps.shopify.com] Open Redirect Open Redirect bobrov No rating 2016-09-26
Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor Open Redirect zombiehelp54 No rating 2016-09-22
XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline Cross-site Scripting (XSS) - Generic nismo No rating 2016-09-19
Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline Cross-site Scripting (XSS) - Generic nismo No rating 2016-09-19
Access to Splunk via shard3-db2.ec2.shopify.com endpoint Improper Authentication - Generic ysx No rating 2016-09-19
Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly None supplied sacurifity No rating 2016-09-06
Open redirect using checkout_url Open Redirect zombiehelp54 No rating 2016-09-01
Open CouchDB on experiments.ec2.shopify.com:5984 None supplied fransrosen No rating 2016-09-01
Access to Splunk at https://apt.ec2.shopify.com:8089 None supplied lewerkun No rating 2016-09-01
(BYPASS) Open Redirect after login at http://ecommerce.shopify.com Open Redirect jamesclyde No rating 2016-09-01
(FULL PATH DISCLOSURE) Unknown MySQL server host 'shardm-reader.chi2.shopify.io' Improper Authentication - Generic jamesclyde No rating 2016-09-01
View all deleted comments and rating of any app . Information Disclosure vijay_kumar No rating 2016-09-01
Open Redirect possible in https://www.shopify.com/admin/ Open Redirect jamesclyde No rating 2016-08-31
Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181 Improper Authentication - Generic mico02 No rating 2016-08-09
Delete/modify your own comment after limited access(IDOR) Privilege Escalation vijay_kumar1110 No rating 2016-08-09
Staff member can delete Private Apps Privilege Escalation vijay_kumar1110 No rating 2016-08-09
Redirect url after login is not validated Open Redirect capripio No rating 2016-07-28
XSS in Draft Orders in Timeline i SHOPIFY Admin Site! Cross-site Scripting (XSS) - Generic nismo No rating 2016-07-28
[CSRF] Install premium themes Cross-Site Request Forgery (CSRF) zombiehelp54 No rating 2016-07-27
Stealing livechat token and using it to chat as the user - user information disclosure Improper Authentication - Generic zombiehelp54 No rating 2016-07-19
https://windsor.shopify.com/ takeover Open Redirect zseano No rating 2016-07-19
Potentially Sensitive Information on GitHub Information Disclosure wkcaj No rating 2016-07-17
Authentication Bypass on Icinga monitoring server Improper Authentication - Generic wkcaj No rating 2016-07-17
Staff members with no permission can access to the files, uploaded by the administrator Privilege Escalation hexrby No rating 2016-07-07
Fetching external resources through svg images Information Disclosure detroitsmash No rating 2016-06-21
SVG parser loads external resources on image upload Cross-Site Request Forgery (CSRF) ogig No rating 2016-06-02
staff memeber can install apps even if have limitied access Privilege Escalation abdellahyal No rating 2016-05-05
Privilege Escalation - A `MEMBER` with no ACCESS to `ORDERS` can still access the orders by using `Order Printer APP` Privilege Escalation coolboss No rating 2016-04-20
Bypassed password authentication before enabling OTP verification Improper Authentication - Generic jbbbkj No rating 2016-04-15
XSS on hardware.shopify.com Cross-site Scripting (XSS) - Generic virtualhunter No rating 2016-04-09
Stored XSS via "Free Shipping" option (Discounts) Cross-site Scripting (XSS) - Generic ancst No rating 2016-04-05
XSS on https://app.shopify.com/ Cross-site Scripting (XSS) - Generic secalert No rating 2016-04-05
xss in the all widgets of shopifyapps.com Cross-site Scripting (XSS) - Generic sergeym No rating 2016-03-16
Stored XSS in https://checkout.shopify.com/ Cross-site Scripting (XSS) - Generic niyaax No rating 2016-03-15
Strored Cross Site Scripting Cross-site Scripting (XSS) - Generic hussein98d No rating 2016-03-13
Injection via CSV Export feature in Admin Orders None supplied wakadotz No rating 2016-03-12
XSS on hardware.shopify.com Cross-site Scripting (XSS) - Generic mdv No rating 2016-03-01
File name and folder enumeration. Information Disclosure derision No rating 2016-03-01
create staff member without owner access Improper Authentication - Generic supernatural No rating 2016-02-29
S3 Buckets open to the world thanks to 'Authenticated Users' ACL Improper Authentication - Generic brakhane No rating 2016-02-23
CSRF on https://shopify.com/plus Information Disclosure mdv No rating 2016-02-17
Stored XSS in /admin/orders Cross-site Scripting (XSS) - Generic zombiehelp54 No rating 2016-02-17
many xss in widgets.shopifyapps.com Cross-site Scripting (XSS) - Generic sergeym No rating 2016-02-04
CSRF in Connecting Pinterest Account Cross-Site Request Forgery (CSRF) mercurii No rating 2016-02-02
Full access to Amazon S3 bucket containing AWS CloudTrail logs Information Disclosure koenrh No rating 2016-02-01
Twitter Disconnect CSRF Cross-Site Request Forgery (CSRF) akhil-reni No rating 2016-02-01
Attach Pinterest account - no State/CSRF parameter in Oauth Call back Cross-Site Request Forgery (CSRF) akhil-reni No rating 2016-02-01
www.shopify.com XSS via third-party script Cross-site Scripting (XSS) - Generic reactors08 No rating 2016-02-01
[livechat.shopify.com] Cookie bomb at customer chats None supplied s_p_q_r No rating 2016-01-19
HTTP-Response-Splitting on v.shopify.com None supplied krankopwnz No rating 2016-01-17
"Remember me" token generated when "Remember me" box unchecked Improper Authentication - Generic dhaval No rating 2016-01-13
Reflected XSS in cart at hardware.shopify.com Cross-site Scripting (XSS) - Generic juhhga No rating 2015-12-22
Reflective XSS on wholesale.shopify.com Cross-site Scripting (XSS) - Generic krankopwnz No rating 2015-12-22
Open Redirect at *.myshopify.com/account/login?checkout_url= Open Redirect batman No rating 2015-12-16
Open redirect using theme install Open Redirect blinkms No rating 2015-12-14
shopifyapps.com XSS on sales channels via currency formatting Cross-site Scripting (XSS) - Generic reactors08 No rating 2015-12-14
An administrator without any permission is able to get order notifications using his APNS Token. Improper Authentication - Generic rms No rating 2015-12-14
Missing of csrf protection Cross-Site Request Forgery (CSRF) harishkumar0394 No rating 2015-12-07
XSS in creating tweets Cross-site Scripting (XSS) - Generic haxs101 No rating 2015-12-03
Non-owner user can remove online store channel and re-add it. Improper Authentication - Generic zombiehelp54 No rating 2015-12-03
[CSRF] Activate PayPal Express Checkout Cross-Site Request Forgery (CSRF) zombiehelp54 No rating 2015-12-03
Cookie securing your "Opening soon" store is not secured against XSS Violation of Secure Design Principles jurajk No rating 2015-12-01
CSV Excel Macro Injection Vulnerability in export list of current users - app.shopify.com Command Injection - Generic zombiehelp54 No rating 2015-12-01
Apps can access 'channels' beta api Privilege Escalation rms No rating 2015-11-18
An administrator without the 'Settings' permission is able to see payment gateways Improper Authentication - Generic brakhane No rating 2015-11-18
deleted staff member can add his amazon marketplace web services account to the store. Improper Authentication - Generic zombiehelp54 No rating 2015-11-18
Privilege escalation and circumvention of permission to limited access user Improper Authentication - Generic ayid No rating 2015-11-11
'Limited' RCE in certain places where Liquid is accepted Code Injection brakhane No rating 2015-11-11
A 'Full access' administrator is able to see the shop owners user details Privilege Escalation brakhane No rating 2015-11-11
List of devices is accessible regardless of the account limitations Information Disclosure rms No rating 2015-11-10
Accessing Payments page and adding payment methods with limited access accounts Privilege Escalation shahmeer-amir No rating 2015-11-10
Missing authorization check on dashboard overviews Privilege Escalation shahmeer-amir No rating 2015-11-10
First & Last Name Disclosure of any Shopify Store Admin Privilege Escalation hazimaslam No rating 2015-11-09
Unauthorized access to any Store Admin's First & Last name Improper Authentication - Generic hazimaslam No rating 2015-11-07
get users information without full access Privilege Escalation supernatural No rating 2015-11-04
Bypassing password requirement during deletion of accout Improper Authentication - Generic lostboy No rating 2015-11-03
Domain takoever - https://sellocdn.com Improper Authentication - Generic uname No rating 2015-11-03
Staff members with no permission to access domains can access them. Improper Authentication - Generic zombiehelp54 No rating 2015-11-03
Some S3 Buckets are world readable (and one is world writeable) Improper Authentication - Generic brakhane No rating 2015-10-24
Unauthenticated access to details of hidden products in any shop via title emuneration Improper Authentication - Generic juhhga No rating 2015-10-23
Paid account can review\download any invoice of any other shop Improper Authentication - Generic dvl No rating 2015-10-22
www.shopify.com XSS on blog pages via sharing buttons Cross-site Scripting (XSS) - Generic reactors08 No rating 2015-10-21
Arbitrary read on s3://shopify-delivery-app-storage/files Improper Authentication - Generic brakhane No rating 2015-10-20
Unauthorized access to all collections, products, pages from other stores Improper Authentication - Generic supernatural No rating 2015-10-20
Arbitrary write on s3://shopify-delivery-app-storage/files Improper Authentication - Generic brakhane No rating 2015-10-15
amazon aws s3 bucket content is public :- http://shopify.com.s3.amazonaws.com/ Memory Corruption - Generic pulkit_pandey No rating 2015-10-15
Privilege escalation vulnerability Denial of Service marhvhelous No rating 2015-10-14
change Login Services settings without owner access Improper Authentication - Generic supernatural No rating 2015-10-14
unauthorized access to all collections name Privilege Escalation supernatural No rating 2015-10-14
The POS Firmware is leaking the root Password which can be used for unauthorized access to the device. None supplied patrik No rating 2015-10-09
unauthorized access to all customers first and last name Improper Authentication - Generic supernatural No rating 2015-10-06
customers password hash leak!!!! Improper Authentication - Generic supernatural No rating 2015-10-05
Open Redirect after login at http://ecommerce.shopify.com Open Redirect dhaval No rating 2015-10-05
Shop admin can change external login services Privilege Escalation satishb3 No rating 2015-10-02
Passwords Returned in Later Responses. Violation of Secure Design Principles w00tr00t No rating 2015-09-30
Prevent Shop Admin From Seeing his Installed Apps / Install Persistent Unremovable App Denial of Service prakharprasad No rating 2015-09-29
Notification request disclose private information about other myshopify accounts Improper Authentication - Generic dvl No rating 2015-09-24
Bypass access restrictions from API Improper Authentication - Generic supernatural No rating 2015-09-18
Invitation issue Privilege Escalation frozen No rating 2015-09-16
Body injection in mailto link while commenting shop blog None supplied skavans No rating 2015-09-10
XSS on ecommerce.shopify.com Cross-site Scripting (XSS) - Generic r0x33d No rating 2015-09-06
Reflected XSS in chat. Cross-site Scripting (XSS) - Generic dz_samir No rating 2015-09-02
XSS https://www.shopify.com/signup Cross-site Scripting (XSS) - Generic mdv No rating 2015-09-01
XSS https://delivery.shopifyapps.com/ (Digital Downloads App in myshopify.com) Cross-site Scripting (XSS) - Generic dz_samir No rating 2015-08-25
SSRF via 'Insert Image' feature of Products/Collections/Frontpage Violation of Secure Design Principles alpha No rating 2015-08-24
Reflected XSS in chat Cross-site Scripting (XSS) - Generic skavans No rating 2015-08-11
TCP Source Port Pass Firewall Improper Authentication - Generic salmankhanchampion No rating 2015-08-11
Bulk Discount App in myshopify.com exposes http://bulkdiscounts.shopifyapps.com vulnerable to XSS Cross-site Scripting (XSS) - Generic nismo No rating 2015-07-23
XSS in Myshopify Admin Site in DISCOUNTS Cross-site Scripting (XSS) - Generic nismo No rating 2015-07-20
Attention! Remote Code Execution at http://wpt.ec2.shopify.com/ Command Injection - Generic prakharprasad No rating 2015-07-16
Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS Improper Authentication - Generic nismo No rating 2015-07-15
SSRF via 'Add Image from URL' feature Violation of Secure Design Principles alpha No rating 2015-07-15
SSL cookie without secure flag set Violation of Secure Design Principles blackpanther_pintoo No rating 2015-07-13
Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content Improper Authentication - Generic sukhoi No rating 2015-07-04
Open redirection in OAuth Open Redirect coolboss No rating 2015-07-03
[persistent cross-site scripting] customers can target admins Cross-site Scripting (XSS) - Generic akhil-reni No rating 2015-07-01
CSRF token fixation in facebook store app that can lead to adding attacker to victim acc Violation of Secure Design Principles defmax No rating 2015-06-25
XSS at Bulk editing ProductVariants Cross-site Scripting (XSS) - Generic mafia No rating 2015-06-25
XSS at Bulk editing products Cross-site Scripting (XSS) - Generic mafia No rating 2015-06-17
XSS at importing Product List Cross-site Scripting (XSS) - Generic mafia No rating 2015-06-17
Header Misconfiguration - PHP API Violation of Secure Design Principles paulos_ No rating 2015-06-11
[www.*.myshopify.com] CRLF Injection None supplied bobrov No rating 2015-06-10
Force 500 Internal Server Error on any shop (for one user) Denial of Service 4lemon No rating 2015-06-10
XSS on support.shopify.com Cross-site Scripting (XSS) - Generic r0x33d No rating 2015-06-10
XSS in myshopify.com Admin site in TAX Overrides Cross-site Scripting (XSS) - Generic nismo No rating 2015-06-09
Authentication Failed Mobile version Improper Authentication - Generic lccunha No rating 2015-06-02
Stored XSS in the Shopify Discussion Forums Cross-site Scripting (XSS) - Generic sukhjiwansingh No rating 2015-05-31
Multiple issues on Checkout Process Violation of Secure Design Principles ishikawa No rating 2015-05-21
Lack of SSL Pinning on POS Application ( iOS ) Cryptographic Issues - Generic ishikawa No rating 2015-05-21
XSS in experts.shopify.com Cross-site Scripting (XSS) - Generic haxs101 No rating 2015-05-19
XSS - URL Redirects Cross-site Scripting (XSS) - Generic vlazeg No rating 2015-05-17
Xss in website's link Cross-site Scripting (XSS) - Generic ragnar No rating 2015-05-13
Content Spoofing Violation of Secure Design Principles zerohat No rating 2015-05-05
comment out causes information disclosure Information Disclosure shhnjk No rating 2015-04-19
IDOR expire other user sessions Improper Authentication - Generic sappi No rating 2015-04-17
Missing spf flags for myshopify.com None supplied scorppy No rating 2015-04-16