| Bypass a fix for report #708013 |
Brute Force |
scaramouche31 |
Medium |
2021-12-07 |
| xss is triggered on your web |
Cross-site Scripting (XSS) - DOM |
jaka_tingkir |
Medium |
2021-12-06 |
| [h1-2102] Wholesale - CSRF to Generate Invitation Token for a Customer and Move Customer to Invited Status |
Cross-Site Request Forgery (CSRF) |
rhynorater |
Low |
2021-12-06 |
| Staff can use BULK_OPERATIONS_FINISH webhook topic using Graphql without permissions all |
Privilege Escalation |
yinvi777 |
Medium |
2021-12-04 |
| Unathorised access to admin endpoint on plus-website-staging5.shopifycloud.com |
Improper Access Control - Generic |
j0j0 |
Medium |
2021-12-03 |
| Ability to add address without being an admin or staff in the store via wholesale store |
None supplied |
hydraxanon82 |
Low |
2021-12-03 |
| [h1-2102] [Yaworski's Broskis] Suspected overcharge and chargebacks in PoS |
Business Logic Errors |
c0rv4x |
Low |
2021-12-03 |
| Bypassing HTML filter in "Packing Slip Template" Lead to SSRF to Internal Kubernetes Endpoints |
None supplied |
cthulhufhtagn |
Low |
2021-12-02 |
| Insufficient session expiration in the **com.shopify.ping** android app |
Insufficient Session Expiration |
fr4via |
Low |
2021-11-26 |
| Sidekiq dashboard exposed at notary.shopifycloud.com |
Information Disclosure |
youstin |
Medium |
2021-11-25 |
| A non-privileged user may create an admin account in Stocky |
Privilege Escalation |
stapia |
Medium |
2021-11-25 |
| Staff who only have apps and channels permission can do a takeover account at the wholesale store (Bypass get invitation link) |
None supplied |
hydraxanon82 |
Medium |
2021-11-21 |
| Apache Flink Dashboard exposure at https://streaming-sales-model-production.flink.shopifykloud.com |
Information Disclosure |
savik |
None |
2021-11-18 |
| Open Redirect in www.shopify.dev Environment |
Open Redirect |
beerboy_ankit |
Medium |
2021-11-18 |
| Blog posts atom feed of a store with password protection can be accessed by anyone |
Information Disclosure |
xenx |
Medium |
2021-11-08 |
| Senseitive data Related to Shopify Host -> https://shopify.zendesk.com/ |
Cleartext Storage of Sensitive Information |
sam_exploit |
None |
2021-11-08 |
| Shopify.com Web Cache Deception vulnerability leads to personal information and CSRF tokens leakage |
Violation of Secure Design Principles |
golim |
Low |
2021-10-21 |
| Domain Takeover at 3hopify.media |
Privilege Escalation |
m7mdharoun |
None |
2021-10-21 |
| Store Deletion or Sell without authentication |
Improper Authentication - Generic |
fr4via |
Low |
2021-10-21 |
| Create free Shopify application credits. |
Improper Access Control - Generic |
jmp_35p |
Medium |
2021-09-10 |
| Improper Input Validation on https://oberlo-image-proxy.shopifycloud.com/ |
None supplied |
riramar |
None |
2021-08-16 |
| Github access token exposure |
None supplied |
augustozanellato |
Critical |
2021-07-26 |
| your-store.myshopify.com preview link is leak on third party website lead to preview all action from store owner Without store Password. |
Improper Authentication - Generic |
danishalkatiri |
Medium |
2021-07-12 |
| Removing parts of URL from jQuery request exposes links for download of Paid Digital Assets of the most recent Order placed by anyone on the store! |
None supplied |
superbsic |
Medium |
2021-07-08 |
| Add new managed stores without permission |
Improper Access Control - Generic |
jmp_35p |
Medium |
2021-07-08 |
| Low Privileged user can add or remove cash to/from sales register |
Privilege Escalation |
sandeep_rj49 |
Low |
2021-06-16 |
| Add new development stores without permission |
Improper Access Control - Generic |
jmp_35p |
Medium |
2021-06-04 |
| XSS at https://exchangemarketplace.com/blogsearch |
Cross-site Scripting (XSS) - Generic |
fatal0 |
Medium |
2021-04-09 |
| https://themes.shopify.com::: Host header web cache poisoning lead to DoS |
Denial of Service |
g4mm4 |
Medium |
2021-04-08 |
| [h1-2102] FQDN takeover on all Shopify wholesale customer domains by trailing dot (RFC 1034) |
Incorrect Permission Assignment for Critical Resource |
intidc |
Medium |
2021-03-25 |
| Informations disclosure - Access to some checkout informations |
None supplied |
francisbeaudoin |
Medium |
2021-03-13 |
| Low Privileged Staff Member Can Export Billing Charges |
Improper Access Control - Generic |
ash_nz |
Medium |
2020-11-26 |
| [Information Disclosure] Amazon S3 Bucket of Shopify Ping (iOS) have public access of other users image |
Information Disclosure |
vocotnhan |
Medium |
2020-11-21 |
| Self xss in product reviews |
Cross-site Scripting (XSS) - Generic |
tomorrow_future |
No rating |
2020-11-19 |
| Staff with no permissions can listen to Shopify Ping conversions by registering to its different WebSocket Events |
Information Disclosure |
francisbeaudoin |
No rating |
2020-11-19 |
| Staff Member can Get POS Access Without User Interaction |
None supplied |
ngalog |
Medium |
2020-11-19 |
| Order lookup features of Shopify Chat Application leads to customer orders enumeration due to lack of user input validation |
None supplied |
francisbeaudoin |
No rating |
2020-11-19 |
| Privilege Escalation in Point Of Sale Application from POS Manage Staff Role to potentially Store Owner |
None supplied |
francisbeaudoin |
Medium |
2020-11-19 |
| Customer's full name disclosure via Shopify Chat (by email lookup) |
Information Disclosure |
francisbeaudoin |
No rating |
2020-11-19 |
| XSS stored in the Shopify Email app |
Cross-site Scripting (XSS) - Stored |
tomorrow_future |
No rating |
2020-11-19 |
| Staff with no permissions can listen to Shopify Ping conversations by registering to its different WebSocket Events |
Information Disclosure |
francisbeaudoin |
No rating |
2020-11-19 |
| authenticity token not verfied leads to change business name |
Cross-Site Request Forgery (CSRF) |
cforu |
Medium |
2020-10-23 |
| A staff member with no permissions can edit Store Customer Email |
Insecure Direct Object Reference (IDOR) |
ash_nz |
Medium |
2020-10-22 |
| User sensitive information disclosure |
Privacy Violation |
a_yang |
Medium |
2020-10-22 |
| Undocumented `fileCopy` GraphQL API |
Improper Access Control - Generic |
ash_nz |
Medium |
2020-10-22 |
| Self XSS |
Cross-site Scripting (XSS) - Generic |
wannacry0x01 |
No rating |
2020-09-17 |
| Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation |
Privilege Escalation |
say_ch33se |
Critical |
2020-09-15 |
| Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation |
Privilege Escalation |
say_ch33se |
Critical |
2020-09-15 |
| CircleCI token in github repo allows for access to sensitive build information |
Information Disclosure |
dwimmerlaik |
No rating |
2020-09-15 |
| staff can able to extend shopify trial period without admin permission |
Improper Access Control - Generic |
risinghunter |
Low |
2020-09-15 |
| xss triggered in "myshopify.com/admin/product" |
None supplied |
jaka_tingkir |
High |
2020-09-15 |
| A staff without export customers permissions can still export customers CSV file |
Improper Access Control - Generic |
ryat |
No rating |
2020-09-15 |
| xss triggered in "myshopify.com/admin/product" |
None supplied |
jaka_tingkir |
High |
2020-09-15 |
| Partner's non-verified business email change reflected into Shopify Collaborator Request |
Improper Access Control - Generic |
francisbeaudoin |
No rating |
2020-09-14 |
| XSS within Shopify Email App - Admin |
Cross-site Scripting (XSS) - Stored |
francisbeaudoin |
No rating |
2020-09-14 |
| XSS / SELF XSS |
Cross-site Scripting (XSS) - Generic |
whoami991 |
Low |
2020-09-14 |
| Staff member with no permission can delete POS staff from account settings |
Privilege Escalation |
kunal94 |
Low |
2020-09-14 |
| Password protection can be removed for newly created development store |
None supplied |
francisbeaudoin |
No rating |
2020-09-14 |
| Admin web sessions remain active after logout of Shopify ID |
Insufficient Session Expiration |
jaka_tingkir |
No rating |
2020-09-14 |
| Cache poisoning via X-Forwarded-Host in www.shopify.com/partners/blog |
Improper Neutralization of HTTP Headers for Scripting Syntax |
dakitu |
Low |
2020-09-11 |
| damage to the timeline so that comment fields cannot be displayed or not available to all members in the store |
None supplied |
jaka_tingkir |
No rating |
2020-09-09 |
| Takeover an account that doesn't have a Shopify ID and more |
None supplied |
francisbeaudoin |
Critical |
2020-09-02 |
| Takeover an account that doesn't have a Shopify ID and more |
None supplied |
francisbeaudoin |
Critical |
2020-09-02 |
| XSS Stored via Upload avatar PNG [HTML] File in accounts.shopify.com |
Violation of Secure Design Principles |
zerox4 |
Low |
2020-08-30 |
| Ability to publish a paid theme without purchasing it. |
Improper Access Control - Generic |
saltymermaid |
Low |
2020-08-27 |
| Ability to publish a paid theme without purchasing it. |
Improper Access Control - Generic |
saltymermaid |
Low |
2020-08-27 |
| Path Traversal in App Proxy |
Path Traversal |
ngalog |
Medium |
2020-08-25 |
| Self XSS in Timeline |
Cross-site Scripting (XSS) - Generic |
ryat |
No rating |
2020-08-25 |
| Script Editor preview token still working with uninstalled application, even for unpublished script |
None supplied |
francisbeaudoin |
No rating |
2020-08-25 |
| Ability to see password protected content by bypassing the password page of shopify preview URL for new development stores (as of August 17, 2020) |
Information Disclosure |
saltymermaid |
Medium |
2020-08-25 |
| xss stored in https://your store.myshopify.com/admin/ |
Cross-site Scripting (XSS) - Stored |
zwail |
Low |
2020-08-24 |
| STAFF "No-Permissions" on the Store can retrieve the details Order via exchangeReceiptSend |
Information Disclosure |
langduvnsec |
Medium |
2020-08-24 |
| Subdomain takeover in help.tictail.com pointing to Zendesk (a Shopify acquisition) |
Privilege Escalation |
meow-hacker-meow |
Medium |
2020-08-24 |
| Stocky App Administrator can create a backdoor admin account by using an existing POS User |
None supplied |
francisbeaudoin |
No rating |
2020-08-24 |
| increased privileges on staff account |
None supplied |
jaka_tingkir |
Medium |
2020-08-24 |
| *.shopify.com - Authentication bypass |
None supplied |
nooblife |
No rating |
2020-08-24 |
| Password reset link not expired at Stocky App |
Improper Access Control - Generic |
ayyoub |
No rating |
2020-08-19 |
| Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation |
Information Disclosure |
tolo7010 |
No rating |
2020-08-19 |
| Ability to generate shipping labels in another store orders |
Insecure Direct Object Reference (IDOR) |
francisbeaudoin |
No rating |
2020-08-19 |
| Blind Stored XSS Via Staff Name |
Cross-site Scripting (XSS) - Stored |
rioncool22 |
High |
2020-08-18 |
| OrderListInitial leaks order details |
Information Disclosure |
sreeju_kc |
Medium |
2020-08-18 |
| access permission is not revoked even if the email has been deleted or changed on the partner account -partners.shopify- |
None supplied |
jaka_tingkir |
Medium |
2020-08-18 |
| Get analytics token using only apps permission |
Information Disclosure |
jmp_35p |
Medium |
2020-08-18 |
| Stored XSS in my staff name fired in another your internal panel |
Cross-site Scripting (XSS) - Stored |
cyber__sec |
High |
2020-07-30 |
| Stored XSS in my staff name fired in another your internal panel |
Cross-site Scripting (XSS) - Stored |
cyber__sec |
High |
2020-07-29 |
| GraphQL AdminGenerateSessionPayload is leaked to staff with no permission |
None supplied |
hiffley |
High |
2020-07-16 |
| Account takeover intercepting magic link for Arrive app |
Insufficiently Protected Credentials |
nsl182 |
Low |
2020-07-15 |
| Ability to link a Google account to another staff account/store owner that isn't linked yet |
None supplied |
francisbeaudoin |
No rating |
2020-07-15 |
| user with no draft order permission can still perform action on draft order's in stocky app (idor) |
Improper Authentication - Generic |
imranhudaa |
No rating |
2020-07-15 |
| IDOR on stocky application-Low Stock-Varient-Settings-Columns |
Insecure Direct Object Reference (IDOR) |
sreeju_kc |
Medium |
2020-07-14 |
| Subdomain Takeover of multiple *.ttcdn.co domains |
Violation of Secure Design Principles |
priyanshuxo |
Low |
2020-07-14 |
| Open Redirect - www.shopify.com |
Open Redirect |
zonduu |
Low |
2020-07-14 |
| User with removed manage shops permissions is still able to make changes to a shop |
Improper Access Control - Generic |
flashdisk |
Medium |
2020-06-12 |
| Stored XSS on demo app link |
Cross-site Scripting (XSS) - Stored |
flashdisk |
Medium |
2020-06-12 |
| Session works after logout from Shopify account and password of online store is displayed |
None supplied |
danerh |
Low |
2020-04-27 |
| None permission staff member can identify installed application and products attached to it |
Information Disclosure |
sreeju_kc |
Low |
2020-04-21 |
| CSRF on connecting Paypal as Payment Provider |
Cross-Site Request Forgery (CSRF) |
ngalog |
Medium |
2020-04-10 |
| Stored XSS through Facebook Page Connection |
Cross-site Scripting (XSS) - Stored |
boredengineer21 |
Low |
2020-04-04 |
| xss stored |
Cross-site Scripting (XSS) - Stored |
davscol94 |
No rating |
2020-04-03 |
| Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO |
None supplied |
ngalog |
Critical |
2020-04-01 |
| [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation |
None supplied |
ngalog |
Critical |
2020-04-01 |
| [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation |
None supplied |
ngalog |
Critical |
2020-04-01 |
| Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO |
None supplied |
ngalog |
Critical |
2020-04-01 |
| Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation |
None supplied |
ngalog |
Medium |
2020-04-01 |
| Session works after logout from Shopify account |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
cryptographer |
Low |
2020-03-30 |
| H1514 CSRF in Domain transfer allows adding your domain to other user's account |
Cross-Site Request Forgery (CSRF) |
rijalrojan |
High |
2020-03-30 |
| Timeline Editor Self-XSS (Previous Fix #738072 Incomplete) |
Cross-site Scripting (XSS) - Reflected |
mosuan |
Low |
2020-03-16 |
| H1514 Deanonymizing Exchange Marketplace private listings |
Information Disclosure |
fisher |
Medium |
2020-03-10 |
| H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products |
Command Injection - Generic |
fransrosen |
Medium |
2020-02-06 |
| H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products |
Command Injection - Generic |
fransrosen |
Medium |
2020-02-06 |
| H1514 Remote Code Execution on kitcrm using bulk customer update of Priority Products |
Command Injection - Generic |
fransrosen |
Medium |
2020-02-06 |
| Disclose Any Store products, Files, Purchase Orders Via Email through Shopify Stocky APP |
Privilege Escalation |
hackrzvijay |
No rating |
2020-02-02 |
| Stored XSS in Shopify Chat |
Cross-site Scripting (XSS) - Stored |
mosuan |
Low |
2019-12-23 |
| Shopify Stocky App OAuth Misconfiguration |
Privilege Escalation |
vulnh0lic |
Medium |
2019-12-11 |
| Shopify Stocky App OAuth Misconfiguration |
Privilege Escalation |
vulnh0lic |
Medium |
2019-12-11 |
| Stored XSS in private message |
Cross-site Scripting (XSS) - Stored |
mosuan |
Medium |
2019-11-08 |
| Ability to verify any email address you don't own - accounts.shopify.com |
Violation of Secure Design Principles |
zombiehelp54 |
No rating |
2019-11-08 |
| H1514 Ability to MiTM Shopify PoS Session to Takeover Communications |
Business Logic Errors |
teknogeek |
Medium |
2019-11-04 |
| H1514 DOM XSS on checkout.shopify.com via postMessage handler on /:id/sandbox/google_maps |
Cross-site Scripting (XSS) - DOM |
bored-engineer |
Medium |
2019-11-04 |
| Reflective Cross-site Scripting via Newsletter Form |
Cross-site Scripting (XSS) - Reflected |
dostoevskylabs |
High |
2019-10-11 |
| Unauthenticated read and write access to ALL endpoints of a store is possible for removed staff members who had "Apps" permission |
Client-Side Enforcement of Server-Side Security |
mariogh |
Medium |
2019-10-10 |
| ██████ DOM XSS via Shopify.API.remoteRedirect |
Cross-site Scripting (XSS) - DOM |
yxw21 |
Low |
2019-09-15 |
| XSS while logging using Google |
Cross-site Scripting (XSS) - Reflected |
ashketchum |
No rating |
2019-09-11 |
| Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile) |
Improper Authentication - Generic |
tems |
Low |
2019-08-14 |
| STAFF member with NO Explicit permissions can view `ActivityFeed` via GraphQL |
Improper Access Control - Generic |
h13- |
Low |
2019-06-18 |
| H1514 Removed Staff members who had "Apps" permission can still modify flow app connections |
Improper Authorization |
zombiehelp54 |
Medium |
2019-06-14 |
| XSS on services.shopify.com |
Cross-site Scripting (XSS) - Stored |
encryptsaan123 |
Low |
2019-06-14 |
| Unpublished Product Images can be disclosed |
Improper Access Control - Generic |
h13- |
Low |
2019-06-12 |
| H1514 Bypass Wholesale account signup restrictions |
Improper Access Control - Generic |
cablej |
Medium |
2019-06-07 |
| H1514 [*.(my)shopify.com] - Viewing Password Protected Content |
Improper Authentication - Generic |
corb3nik |
High |
2019-05-22 |
| H1514 Session Fixation on multiple shopify-built apps on *.shopifycloud.com and *.shopifyapps.com |
Session Fixation |
filedescriptor |
No rating |
2019-04-25 |
| H1514 DOMXSS on Embedded SDK via Shopify.API.setWindowLocation abusing cookie Stuffing |
Cross-site Scripting (XSS) - DOM |
filedescriptor |
High |
2019-04-17 |
| H1514 Server Side Template Injection in Return Magic email templates? |
Code Injection |
zombiehelp54 |
No rating |
2019-04-04 |
| Reflected XSS on $Any$.myshopify.com/admin |
Cross-site Scripting (XSS) - Reflected |
dr_dragon |
High |
2018-11-13 |
| PII disclosure -- Past team members & their email ID(personal email) can be viewed by Staff member with no permissions on Partner Dashboard |
Information Disclosure |
h13- |
Low |
2018-11-08 |
| Disclosure of Github Issues |
Information Disclosure |
rijalrojan |
Medium |
2018-11-08 |
| Stored xss |
Cross-site Scripting (XSS) - Stored |
dr_dragon |
High |
2018-11-07 |
| App messaging can be hijacked by third-party websites |
Violation of Secure Design Principles |
palant |
Medium |
2018-11-07 |
| Admin bar: Incomplete message origin validation results in XSS |
Cross-site Scripting (XSS) - DOM |
palant |
Medium |
2018-11-07 |
| [ux.shopify.com] Subdomain takeover |
Improper Access Control - Generic |
bobrov |
Medium |
2018-10-19 |
| Race condition at create new Location |
Business Logic Errors |
zhurig |
Low |
2018-10-05 |
| subdomain Takeover at blog.exchangemarketplace.com |
None supplied |
m7mdharoun |
Low |
2018-10-01 |
| Stored XSS on buy button |
Cross-site Scripting (XSS) - Stored |
tony_tsep |
Low |
2018-09-29 |
| Open redirection in OAuth |
Open Redirect |
dr_dragon |
Low |
2018-09-24 |
| Unauthenticated access to Zendesk tickets through athena-flex-production.shopifycloud.com Okta bypass |
Improper Authentication - Generic |
rijalrojan |
Critical |
2018-09-19 |
| From full-access account to Account Owner |
Privilege Escalation |
rms |
No rating |
2018-09-18 |
| Stored XSS on activity |
Cross-site Scripting (XSS) - Stored |
shazad_sadiq |
High |
2018-08-14 |
| Preview bar: Incomplete message origin validation results in XSS |
Cross-site Scripting (XSS) - DOM |
palant |
Medium |
2018-07-26 |
| Potential SSRF and disclosure of sensitive site on *shopifycloud.com |
Server-Side Request Forgery (SSRF) |
rijalrojan |
Low |
2018-07-19 |
| [out-of-scope] toxiproxy: Lack of CSRF protection allows an attacker to gain access to internal Shopify network |
Server-Side Request Forgery (SSRF) |
bored-engineer |
Medium |
2018-07-11 |
| Subdomain Takeover - https://competition.shopify.com/ |
Privilege Escalation |
llt4l |
Medium |
2018-06-19 |
| Improper access check by Kit leads to controlling attributes of store & getting analytics by deleted Store member via dual messenger A/C |
Improper Access Control - Generic |
tbh |
Low |
2018-06-15 |
| Publicly Accessible Datadog link |
Information Disclosure |
rijalrojan |
Medium |
2018-06-15 |
| SSRF in Exchange leads to ROOT access in all instances |
Server-Side Request Forgery (SSRF) |
0xacb |
Medium |
2018-05-23 |
| ability to install paid themes for free |
Improper Access Control - Generic |
flashdisk |
Medium |
2018-05-16 |
| Potential to abuse pricing errors in saved carts |
Business Logic Errors |
richardf |
Medium |
2018-05-02 |
| Replace other user files in Inbox messages |
Insecure Direct Object Reference (IDOR) |
rijalrojan |
Medium |
2018-05-01 |
| Stored XSS in partners dashboard |
Cross-site Scripting (XSS) - Stored |
bastianwelfrid |
Low |
2018-04-18 |
| Order notifications being sent for a deactivated staff account |
Improper Authorization |
newbie_101 |
Low |
2018-04-12 |
| XSS *.myshopify.com/collections/vendors?q= |
Cross-site Scripting (XSS) - Reflected |
gromoza |
Medium |
2018-04-08 |
| XSS on "widgets.shopifyapps.com" via "stripping" attribute and "shop" parameter |
Cross-site Scripting (XSS) - DOM |
bored-engineer |
None |
2018-04-03 |
| Access to Private Photos of Apps in App section(IDOR) |
Insecure Direct Object Reference (IDOR) |
vijay_kumar1110 |
Medium |
2018-03-05 |
| myshopify.com domain takeover |
Business Logic Errors |
0xacb |
Medium |
2018-02-27 |
| Ability to bypass partner email confirmation to take over any store given an employee email |
Time-of-check Time-of-use (TOCTOU) Race Condition |
cache-money |
Critical |
2018-02-07 |
| Cross-site scripting in "Contact customer" form |
Cross-site Scripting (XSS) - Stored |
protector47 |
Low |
2017-12-19 |
| Self-XSS in password reset functionality |
Cross-site Scripting (XSS) - Reflected |
itszeeshan |
Low |
2017-11-10 |
| stored xss in invited team member via email parameter |
Cross-site Scripting (XSS) - Stored |
coldd |
Medium |
2017-11-03 |
| Shopify admin authentication bypass using partners.shopify.com |
Improper Authorization |
uzsunny9 |
Critical |
2017-09-28 |
| Shopify admin authentication bypass using partners.shopify.com |
Improper Authorization |
uzsunny |
Critical |
2017-09-28 |
| Tinymce 2.4.0 |
Cross-site Scripting (XSS) - DOM |
jelmer |
Medium |
2017-09-26 |
| SVG Server Side Request Forgery (SSRF) |
Server-Side Request Forgery (SSRF) |
floyd |
Low |
2017-09-22 |
| Stored XSS Deleting Menu Links in the Shopify Admin |
Cross-site Scripting (XSS) - Stored |
geeklegend |
Medium |
2017-09-08 |
| Setting Arbitrary Cookie at kitcrm.com |
None supplied |
dhaval |
None |
2017-08-23 |
| XSS in my.shopify.com in widget |
Cross-site Scripting (XSS) - Generic |
xssa |
Medium |
2017-07-21 |
| Open Redirect in shopify app URL |
Open Redirect |
pappan |
Low |
2017-07-21 |
| IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop |
Insecure Direct Object Reference (IDOR) |
inhibitor181 |
Medium |
2017-07-19 |
| SQL Exception thrown during product import |
Information Exposure Through an Error Message |
pappan |
Medium |
2017-07-12 |
| XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications |
Cross-site Scripting (XSS) - Stored |
bored-engineer |
High |
2017-06-28 |
| API Webhooks Fire And Are Unlisted After Permissions Removed |
Improper Access Control - Generic |
yaworsk |
Low |
2017-06-27 |
| Redirect in adding advance cash on delivery app |
Open Redirect |
ashish_r_padelkar |
Low |
2017-06-27 |
| Stored XSS in *.myshopify.com |
Cross-site Scripting (XSS) - Stored |
jamesclyde |
Medium |
2017-06-27 |
| ShopifyAPI is vulnerable to timing attacks. |
Cryptographic Issues - Generic |
edoverflow |
Low |
2017-06-23 |
| Shopify GitHub Login and Password exposed all private source code might be available. |
Information Disclosure |
todayisnew |
No rating |
2017-06-08 |
| XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app |
Cross-site Scripting (XSS) - Generic |
bored-engineer |
High |
2017-06-01 |
| XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog" |
Cross-site Scripting (XSS) - DOM |
bored-engineer |
No rating |
2017-05-30 |
| Reflected XSS in <any>.myshopify.com through theme preview |
Cross-site Scripting (XSS) - Reflected |
zombiehelp54 |
No rating |
2017-05-29 |
| XSS in $shop$.myshopify.com/admin/ via "Button Objects" in malicious app |
Cross-site Scripting (XSS) - Generic |
bored-engineer |
High |
2017-05-22 |
| CSRF in all API endpoints when authenticated using HTTP Authentication |
Cross-Site Request Forgery (CSRF) |
zombiehelp54 |
No rating |
2017-03-28 |
| Stored XSS in [shop].myshopify.com/admin/orders/[id] |
Cross-site Scripting (XSS) - Generic |
zombiehelp54 |
No rating |
2017-03-28 |
| Stored passive XSS at scheduled posts (kitcrm.com) |
Cross-site Scripting (XSS) - Reflected |
skavans |
Medium |
2017-03-28 |
| Full access at an internal service of Shopify |
Information Disclosure |
jamesclyde |
No rating |
2017-03-28 |
| Stored XSS in blog comments through Shopify API |
Cross-site Scripting (XSS) - Generic |
prakharprasad |
Medium |
2017-03-16 |
| Stealing users' facebook access tokens - kitcrm.com |
Information Disclosure |
zombiehelp54 |
No rating |
2017-03-15 |
| Subdomain takeover on s3.shopify.com |
Cross-site Scripting (XSS) - Generic |
avlidienbrunn |
No rating |
2017-02-28 |
| apps.shopify.com - CSRF token leakage through Google Analytics |
Cross-Site Request Forgery (CSRF) |
zombiehelp54 |
No rating |
2017-02-07 |
| Authentication Bypass on monitoring server |
Improper Authentication - Generic |
jamesclyde |
Low |
2017-01-11 |
| XSS on postal codes |
Cross-site Scripting (XSS) - Generic |
pappan |
Medium |
2017-01-11 |
| XSS on manually entering Postal codes |
Cross-site Scripting (XSS) - Generic |
prem1807 |
Medium |
2016-12-17 |
| Misconfiguration in Two Factor Authorisation |
None supplied |
dhaval |
No rating |
2016-12-17 |
| Unauthenticated Stored XSS on <any>.myshopify.com via checkout page |
Cross-site Scripting (XSS) - Generic |
zombiehelp54 |
No rating |
2016-12-16 |
| Stored XSS at 'Buy Button' page |
Cross-site Scripting (XSS) - Generic |
zuh4n |
No rating |
2016-12-16 |
| [ecommerce.shopify.com] Invalidated redirection |
Open Redirect |
shailesh4594 |
Low |
2016-12-04 |
| Open redirect in bulk edit |
Open Redirect |
zombiehelp54 |
No rating |
2016-12-04 |
| Able to Login deactivated staff account in shopify app mobile |
Privilege Escalation |
clarckowen_ |
No rating |
2016-11-29 |
| (BYPASS) Open redirect and XSS in supporthiring.shopify.com |
Cross-Site Request Forgery (CSRF) |
jamesclyde |
No rating |
2016-11-21 |
| race condition in adding team members |
Violation of Secure Design Principles |
flashdisk |
Low |
2016-11-10 |
| password less login token expiration issue |
Improper Authentication - Generic |
satishb3 |
No rating |
2016-10-19 |
| Add signature to transactions without any permission |
Improper Authentication - Generic |
supernatural |
No rating |
2016-10-07 |
| Deleted Post and Administrative Function Access in eCommerce Forum |
Privilege Escalation |
ysx |
No rating |
2016-10-05 |
| Payment gateway status transferred to Shopify without authentication |
Cross-Site Request Forgery (CSRF) |
ishwar_prasad_bhat |
No rating |
2016-09-27 |
| [apps.shopify.com] Open Redirect |
Open Redirect |
bobrov |
No rating |
2016-09-26 |
| Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor |
Open Redirect |
zombiehelp54 |
No rating |
2016-09-22 |
| XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline |
Cross-site Scripting (XSS) - Generic |
nismo |
No rating |
2016-09-19 |
| Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline |
Cross-site Scripting (XSS) - Generic |
nismo |
No rating |
2016-09-19 |
| Access to Splunk via shard3-db2.ec2.shopify.com endpoint |
Improper Authentication - Generic |
ysx |
No rating |
2016-09-19 |
| Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly |
None supplied |
sacurifity |
No rating |
2016-09-06 |
| Open redirect using checkout_url |
Open Redirect |
zombiehelp54 |
No rating |
2016-09-01 |
| Open CouchDB on experiments.ec2.shopify.com:5984 |
None supplied |
fransrosen |
No rating |
2016-09-01 |
| Access to Splunk at https://apt.ec2.shopify.com:8089 |
None supplied |
lewerkun |
No rating |
2016-09-01 |
| (BYPASS) Open Redirect after login at http://ecommerce.shopify.com |
Open Redirect |
jamesclyde |
No rating |
2016-09-01 |
| (FULL PATH DISCLOSURE) Unknown MySQL server host 'shardm-reader.chi2.shopify.io' |
Improper Authentication - Generic |
jamesclyde |
No rating |
2016-09-01 |
| View all deleted comments and rating of any app . |
Information Disclosure |
vijay_kumar |
No rating |
2016-09-01 |
| Open Redirect possible in https://www.shopify.com/admin/ |
Open Redirect |
jamesclyde |
No rating |
2016-08-31 |
| Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181 |
Improper Authentication - Generic |
mico02 |
No rating |
2016-08-09 |
| Delete/modify your own comment after limited access(IDOR) |
Privilege Escalation |
vijay_kumar1110 |
No rating |
2016-08-09 |
| Staff member can delete Private Apps |
Privilege Escalation |
vijay_kumar1110 |
No rating |
2016-08-09 |
| Redirect url after login is not validated |
Open Redirect |
capripio |
No rating |
2016-07-28 |
| XSS in Draft Orders in Timeline i SHOPIFY Admin Site! |
Cross-site Scripting (XSS) - Generic |
nismo |
No rating |
2016-07-28 |
| [CSRF] Install premium themes |
Cross-Site Request Forgery (CSRF) |
zombiehelp54 |
No rating |
2016-07-27 |
| Stealing livechat token and using it to chat as the user - user information disclosure |
Improper Authentication - Generic |
zombiehelp54 |
No rating |
2016-07-19 |
| https://windsor.shopify.com/ takeover |
Open Redirect |
zseano |
No rating |
2016-07-19 |
| Potentially Sensitive Information on GitHub |
Information Disclosure |
wkcaj |
No rating |
2016-07-17 |
| Authentication Bypass on Icinga monitoring server |
Improper Authentication - Generic |
wkcaj |
No rating |
2016-07-17 |
| Staff members with no permission can access to the files, uploaded by the administrator |
Privilege Escalation |
hexrby |
No rating |
2016-07-07 |
| Fetching external resources through svg images |
Information Disclosure |
detroitsmash |
No rating |
2016-06-21 |
| SVG parser loads external resources on image upload |
Cross-Site Request Forgery (CSRF) |
ogig |
No rating |
2016-06-02 |
| staff memeber can install apps even if have limitied access |
Privilege Escalation |
abdellahyal |
No rating |
2016-05-05 |
| Privilege Escalation - A `MEMBER` with no ACCESS to `ORDERS` can still access the orders by using `Order Printer APP` |
Privilege Escalation |
coolboss |
No rating |
2016-04-20 |
| Bypassed password authentication before enabling OTP verification |
Improper Authentication - Generic |
jbbbkj |
No rating |
2016-04-15 |
| XSS on hardware.shopify.com |
Cross-site Scripting (XSS) - Generic |
virtualhunter |
No rating |
2016-04-09 |
| Stored XSS via "Free Shipping" option (Discounts) |
Cross-site Scripting (XSS) - Generic |
ancst |
No rating |
2016-04-05 |
| XSS on https://app.shopify.com/ |
Cross-site Scripting (XSS) - Generic |
secalert |
No rating |
2016-04-05 |
| xss in the all widgets of shopifyapps.com |
Cross-site Scripting (XSS) - Generic |
sergeym |
No rating |
2016-03-16 |
| Stored XSS in https://checkout.shopify.com/ |
Cross-site Scripting (XSS) - Generic |
niyaax |
No rating |
2016-03-15 |
| Strored Cross Site Scripting |
Cross-site Scripting (XSS) - Generic |
hussein98d |
No rating |
2016-03-13 |
| Injection via CSV Export feature in Admin Orders |
None supplied |
wakadotz |
No rating |
2016-03-12 |
| XSS on hardware.shopify.com |
Cross-site Scripting (XSS) - Generic |
mdv |
No rating |
2016-03-01 |
| File name and folder enumeration. |
Information Disclosure |
derision |
No rating |
2016-03-01 |
| create staff member without owner access |
Improper Authentication - Generic |
supernatural |
No rating |
2016-02-29 |
| S3 Buckets open to the world thanks to 'Authenticated Users' ACL |
Improper Authentication - Generic |
brakhane |
No rating |
2016-02-23 |
| CSRF on https://shopify.com/plus |
Information Disclosure |
mdv |
No rating |
2016-02-17 |
| Stored XSS in /admin/orders |
Cross-site Scripting (XSS) - Generic |
zombiehelp54 |
No rating |
2016-02-17 |
| many xss in widgets.shopifyapps.com |
Cross-site Scripting (XSS) - Generic |
sergeym |
No rating |
2016-02-04 |
| CSRF in Connecting Pinterest Account |
Cross-Site Request Forgery (CSRF) |
mercurii |
No rating |
2016-02-02 |
| Full access to Amazon S3 bucket containing AWS CloudTrail logs |
Information Disclosure |
koenrh |
No rating |
2016-02-01 |
| Twitter Disconnect CSRF |
Cross-Site Request Forgery (CSRF) |
akhil-reni |
No rating |
2016-02-01 |
| Attach Pinterest account - no State/CSRF parameter in Oauth Call back |
Cross-Site Request Forgery (CSRF) |
akhil-reni |
No rating |
2016-02-01 |
| www.shopify.com XSS via third-party script |
Cross-site Scripting (XSS) - Generic |
reactors08 |
No rating |
2016-02-01 |
| [livechat.shopify.com] Cookie bomb at customer chats |
None supplied |
s_p_q_r |
No rating |
2016-01-19 |
| HTTP-Response-Splitting on v.shopify.com |
None supplied |
krankopwnz |
No rating |
2016-01-17 |
| "Remember me" token generated when "Remember me" box unchecked |
Improper Authentication - Generic |
dhaval |
No rating |
2016-01-13 |
| Reflected XSS in cart at hardware.shopify.com |
Cross-site Scripting (XSS) - Generic |
juhhga |
No rating |
2015-12-22 |
| Reflective XSS on wholesale.shopify.com |
Cross-site Scripting (XSS) - Generic |
krankopwnz |
No rating |
2015-12-22 |
| Open Redirect at *.myshopify.com/account/login?checkout_url= |
Open Redirect |
batman |
No rating |
2015-12-16 |
| Open redirect using theme install |
Open Redirect |
blinkms |
No rating |
2015-12-14 |
| shopifyapps.com XSS on sales channels via currency formatting |
Cross-site Scripting (XSS) - Generic |
reactors08 |
No rating |
2015-12-14 |
| An administrator without any permission is able to get order notifications using his APNS Token. |
Improper Authentication - Generic |
rms |
No rating |
2015-12-14 |
| Missing of csrf protection |
Cross-Site Request Forgery (CSRF) |
harishkumar0394 |
No rating |
2015-12-07 |
| XSS in creating tweets |
Cross-site Scripting (XSS) - Generic |
haxs101 |
No rating |
2015-12-03 |
| Non-owner user can remove online store channel and re-add it. |
Improper Authentication - Generic |
zombiehelp54 |
No rating |
2015-12-03 |
| [CSRF] Activate PayPal Express Checkout |
Cross-Site Request Forgery (CSRF) |
zombiehelp54 |
No rating |
2015-12-03 |
| Cookie securing your "Opening soon" store is not secured against XSS |
Violation of Secure Design Principles |
jurajk |
No rating |
2015-12-01 |
| CSV Excel Macro Injection Vulnerability in export list of current users - app.shopify.com |
Command Injection - Generic |
zombiehelp54 |
No rating |
2015-12-01 |
| Apps can access 'channels' beta api |
Privilege Escalation |
rms |
No rating |
2015-11-18 |
| An administrator without the 'Settings' permission is able to see payment gateways |
Improper Authentication - Generic |
brakhane |
No rating |
2015-11-18 |
| deleted staff member can add his amazon marketplace web services account to the store. |
Improper Authentication - Generic |
zombiehelp54 |
No rating |
2015-11-18 |
| Privilege escalation and circumvention of permission to limited access user |
Improper Authentication - Generic |
ayid |
No rating |
2015-11-11 |
| 'Limited' RCE in certain places where Liquid is accepted |
Code Injection |
brakhane |
No rating |
2015-11-11 |
| A 'Full access' administrator is able to see the shop owners user details |
Privilege Escalation |
brakhane |
No rating |
2015-11-11 |
| List of devices is accessible regardless of the account limitations |
Information Disclosure |
rms |
No rating |
2015-11-10 |
| Accessing Payments page and adding payment methods with limited access accounts |
Privilege Escalation |
shahmeer-amir |
No rating |
2015-11-10 |
| Missing authorization check on dashboard overviews |
Privilege Escalation |
shahmeer-amir |
No rating |
2015-11-10 |
| First & Last Name Disclosure of any Shopify Store Admin |
Privilege Escalation |
hazimaslam |
No rating |
2015-11-09 |
| Unauthorized access to any Store Admin's First & Last name |
Improper Authentication - Generic |
hazimaslam |
No rating |
2015-11-07 |
| get users information without full access |
Privilege Escalation |
supernatural |
No rating |
2015-11-04 |
| Bypassing password requirement during deletion of accout |
Improper Authentication - Generic |
lostboy |
No rating |
2015-11-03 |
| Domain takoever - https://sellocdn.com |
Improper Authentication - Generic |
uname |
No rating |
2015-11-03 |
| Staff members with no permission to access domains can access them. |
Improper Authentication - Generic |
zombiehelp54 |
No rating |
2015-11-03 |
| Some S3 Buckets are world readable (and one is world writeable) |
Improper Authentication - Generic |
brakhane |
No rating |
2015-10-24 |
| Unauthenticated access to details of hidden products in any shop via title emuneration |
Improper Authentication - Generic |
juhhga |
No rating |
2015-10-23 |
| Paid account can review\download any invoice of any other shop |
Improper Authentication - Generic |
dvl |
No rating |
2015-10-22 |
| www.shopify.com XSS on blog pages via sharing buttons |
Cross-site Scripting (XSS) - Generic |
reactors08 |
No rating |
2015-10-21 |
| Arbitrary read on s3://shopify-delivery-app-storage/files |
Improper Authentication - Generic |
brakhane |
No rating |
2015-10-20 |
| Unauthorized access to all collections, products, pages from other stores |
Improper Authentication - Generic |
supernatural |
No rating |
2015-10-20 |
| Arbitrary write on s3://shopify-delivery-app-storage/files |
Improper Authentication - Generic |
brakhane |
No rating |
2015-10-15 |
| amazon aws s3 bucket content is public :- http://shopify.com.s3.amazonaws.com/ |
Memory Corruption - Generic |
pulkit_pandey |
No rating |
2015-10-15 |
| Privilege escalation vulnerability |
Denial of Service |
marhvhelous |
No rating |
2015-10-14 |
| change Login Services settings without owner access |
Improper Authentication - Generic |
supernatural |
No rating |
2015-10-14 |
| unauthorized access to all collections name |
Privilege Escalation |
supernatural |
No rating |
2015-10-14 |
| The POS Firmware is leaking the root Password which can be used for unauthorized access to the device. |
None supplied |
patrik |
No rating |
2015-10-09 |
| unauthorized access to all customers first and last name |
Improper Authentication - Generic |
supernatural |
No rating |
2015-10-06 |
| customers password hash leak!!!! |
Improper Authentication - Generic |
supernatural |
No rating |
2015-10-05 |
| Open Redirect after login at http://ecommerce.shopify.com |
Open Redirect |
dhaval |
No rating |
2015-10-05 |
| Shop admin can change external login services |
Privilege Escalation |
satishb3 |
No rating |
2015-10-02 |
| Passwords Returned in Later Responses. |
Violation of Secure Design Principles |
w00tr00t |
No rating |
2015-09-30 |
| Prevent Shop Admin From Seeing his Installed Apps / Install Persistent Unremovable App |
Denial of Service |
prakharprasad |
No rating |
2015-09-29 |
| Notification request disclose private information about other myshopify accounts |
Improper Authentication - Generic |
dvl |
No rating |
2015-09-24 |
| Bypass access restrictions from API |
Improper Authentication - Generic |
supernatural |
No rating |
2015-09-18 |
| Invitation issue |
Privilege Escalation |
frozen |
No rating |
2015-09-16 |
| Body injection in mailto link while commenting shop blog |
None supplied |
skavans |
No rating |
2015-09-10 |
| XSS on ecommerce.shopify.com |
Cross-site Scripting (XSS) - Generic |
r0x33d |
No rating |
2015-09-06 |
| Reflected XSS in chat. |
Cross-site Scripting (XSS) - Generic |
dz_samir |
No rating |
2015-09-02 |
| XSS https://www.shopify.com/signup |
Cross-site Scripting (XSS) - Generic |
mdv |
No rating |
2015-09-01 |
| XSS https://delivery.shopifyapps.com/ (Digital Downloads App in myshopify.com) |
Cross-site Scripting (XSS) - Generic |
dz_samir |
No rating |
2015-08-25 |
| SSRF via 'Insert Image' feature of Products/Collections/Frontpage |
Violation of Secure Design Principles |
alpha |
No rating |
2015-08-24 |
| Reflected XSS in chat |
Cross-site Scripting (XSS) - Generic |
skavans |
No rating |
2015-08-11 |
| TCP Source Port Pass Firewall |
Improper Authentication - Generic |
salmankhanchampion |
No rating |
2015-08-11 |
| Bulk Discount App in myshopify.com exposes http://bulkdiscounts.shopifyapps.com vulnerable to XSS |
Cross-site Scripting (XSS) - Generic |
nismo |
No rating |
2015-07-23 |
| XSS in Myshopify Admin Site in DISCOUNTS |
Cross-site Scripting (XSS) - Generic |
nismo |
No rating |
2015-07-20 |
| Attention! Remote Code Execution at http://wpt.ec2.shopify.com/ |
Command Injection - Generic |
prakharprasad |
No rating |
2015-07-16 |
| Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS |
Improper Authentication - Generic |
nismo |
No rating |
2015-07-15 |
| SSRF via 'Add Image from URL' feature |
Violation of Secure Design Principles |
alpha |
No rating |
2015-07-15 |
| SSL cookie without secure flag set |
Violation of Secure Design Principles |
blackpanther_pintoo |
No rating |
2015-07-13 |
| Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content |
Improper Authentication - Generic |
sukhoi |
No rating |
2015-07-04 |
| Open redirection in OAuth |
Open Redirect |
coolboss |
No rating |
2015-07-03 |
| [persistent cross-site scripting] customers can target admins |
Cross-site Scripting (XSS) - Generic |
akhil-reni |
No rating |
2015-07-01 |
| CSRF token fixation in facebook store app that can lead to adding attacker to victim acc |
Violation of Secure Design Principles |
defmax |
No rating |
2015-06-25 |
| XSS at Bulk editing ProductVariants |
Cross-site Scripting (XSS) - Generic |
mafia |
No rating |
2015-06-25 |
| XSS at Bulk editing products |
Cross-site Scripting (XSS) - Generic |
mafia |
No rating |
2015-06-17 |
| XSS at importing Product List |
Cross-site Scripting (XSS) - Generic |
mafia |
No rating |
2015-06-17 |
| Header Misconfiguration - PHP API |
Violation of Secure Design Principles |
paulos_ |
No rating |
2015-06-11 |
| [www.*.myshopify.com] CRLF Injection |
None supplied |
bobrov |
No rating |
2015-06-10 |
| Force 500 Internal Server Error on any shop (for one user) |
Denial of Service |
4lemon |
No rating |
2015-06-10 |
| XSS on support.shopify.com |
Cross-site Scripting (XSS) - Generic |
r0x33d |
No rating |
2015-06-10 |
| XSS in myshopify.com Admin site in TAX Overrides |
Cross-site Scripting (XSS) - Generic |
nismo |
No rating |
2015-06-09 |
| Authentication Failed Mobile version |
Improper Authentication - Generic |
lccunha |
No rating |
2015-06-02 |
| Stored XSS in the Shopify Discussion Forums |
Cross-site Scripting (XSS) - Generic |
sukhjiwansingh |
No rating |
2015-05-31 |
| Multiple issues on Checkout Process |
Violation of Secure Design Principles |
ishikawa |
No rating |
2015-05-21 |
| Lack of SSL Pinning on POS Application ( iOS ) |
Cryptographic Issues - Generic |
ishikawa |
No rating |
2015-05-21 |
| XSS in experts.shopify.com |
Cross-site Scripting (XSS) - Generic |
haxs101 |
No rating |
2015-05-19 |
| XSS - URL Redirects |
Cross-site Scripting (XSS) - Generic |
vlazeg |
No rating |
2015-05-17 |
| Xss in website's link |
Cross-site Scripting (XSS) - Generic |
ragnar |
No rating |
2015-05-13 |
| Content Spoofing |
Violation of Secure Design Principles |
zerohat |
No rating |
2015-05-05 |
| comment out causes information disclosure |
Information Disclosure |
shhnjk |
No rating |
2015-04-19 |
| IDOR expire other user sessions |
Improper Authentication - Generic |
sappi |
No rating |
2015-04-17 |
| Missing spf flags for myshopify.com |
None supplied |
scorppy |
No rating |
2015-04-16 |
Disclosed Hackevent Reports 
Disclosed HackerOne Reports