Stored XSS via "my recent queries" selector in NRQL dashboard builder
π https://hackerone.com/reports/626082
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 2:58pm (UTC)
π https://hackerone.com/reports/626082
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 2:58pm (UTC)
NRQL Query allows restricted user to pull all data from Synthetics monitors without having read permissions enabled
π https://hackerone.com/reports/387290
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 3:00pm (UTC)
π https://hackerone.com/reports/387290
πΉ Severity: Medium | π° 750 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 3:00pm (UTC)
Restricted user can view all account invoices, payment method details, PII of account owner through zoura_api endpoints
π https://hackerone.com/reports/501672
πΉ Severity: Medium | π° 900 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 3:01pm (UTC)
π https://hackerone.com/reports/501672
πΉ Severity: Medium | π° 900 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 3:01pm (UTC)
(Prerelease UI) Stored XSS via role name in JSON chart
π https://hackerone.com/reports/520630
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 3:03pm (UTC)
π https://hackerone.com/reports/520630
πΉ Severity: High | π° 2,500 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 3:03pm (UTC)
Restricted user is able to delete filter sets of admin users in https://infrastructure.newrelic.com/accounts/{{ACC#}}/settings/filterSets
π https://hackerone.com/reports/202501
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 3:07pm (UTC)
π https://hackerone.com/reports/202501
πΉ Severity: Medium | π° 250 USD
πΉ Reported To: New Relic
πΉ Reported By: #jon_bottarini
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 3:07pm (UTC)
SSO bypass in zendesk using trint organization able to leak internal ticket information
π https://hackerone.com/reports/734936
πΉ Severity: High
πΉ Reported To: Trint Ltd
πΉ Reported By: #dopaminedetox
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 3:43pm (UTC)
π https://hackerone.com/reports/734936
πΉ Severity: High
πΉ Reported To: Trint Ltd
πΉ Reported By: #dopaminedetox
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 3:43pm (UTC)
increased privileges on staff account
π https://hackerone.com/reports/911857
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: Shopify
πΉ Reported By: #jaka_tingkir
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 4:05pm (UTC)
π https://hackerone.com/reports/911857
πΉ Severity: Medium | π° 1,500 USD
πΉ Reported To: Shopify
πΉ Reported By: #jaka_tingkir
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 4:05pm (UTC)
xss stored in https://your store.myshopify.com/admin/
π https://hackerone.com/reports/887879
πΉ Severity: Low | π° 1,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #zwail
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 4:08pm (UTC)
π https://hackerone.com/reports/887879
πΉ Severity: Low | π° 1,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #zwail
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 4:08pm (UTC)
Subdomain takeover in help.tictail.com pointing to Zendesk (a Shopify acquisition)
π https://hackerone.com/reports/869605
πΉ Severity: Medium
πΉ Reported To: Shopify
πΉ Reported By: #meow-hacker-meow
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 4:17pm (UTC)
π https://hackerone.com/reports/869605
πΉ Severity: Medium
πΉ Reported To: Shopify
πΉ Reported By: #meow-hacker-meow
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 4:17pm (UTC)
*.shopify.com - Authentication bypass
π https://hackerone.com/reports/838231
πΉ Severity: No Rating
πΉ Reported To: Shopify
πΉ Reported By: #nooblife
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 4:18pm (UTC)
π https://hackerone.com/reports/838231
πΉ Severity: No Rating
πΉ Reported To: Shopify
πΉ Reported By: #nooblife
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 4:18pm (UTC)
STAFF "No-Permissions" on the Store can retrieve the details Order via exchangeReceiptSend
π https://hackerone.com/reports/917875
πΉ Severity: Medium | π° 1,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #langduvnsec
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 4:41pm (UTC)
π https://hackerone.com/reports/917875
πΉ Severity: Medium | π° 1,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #langduvnsec
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 4:41pm (UTC)
[com.smule.autorap.*] Cloud Messaging/Push Notification service takeover due to clear-text usage of Legacy FCM Server keys in the client app
π https://hackerone.com/reports/789370
πΉ Severity: Critical
πΉ Reported To: Smule
πΉ Reported By: #absshax
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 7:27pm (UTC)
π https://hackerone.com/reports/789370
πΉ Severity: Critical
πΉ Reported To: Smule
πΉ Reported By: #absshax
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 7:27pm (UTC)
Stocky App Administrator can create a backdoor admin account by using an existing POS User
π https://hackerone.com/reports/962895
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #francisbeaudoin
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 9:58pm (UTC)
π https://hackerone.com/reports/962895
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #francisbeaudoin
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 9:58pm (UTC)
[windows-edge] RCE via insecure command formatting
π https://hackerone.com/reports/878420
πΉ Severity: Critical
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #mik317
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 10:04pm (UTC)
π https://hackerone.com/reports/878420
πΉ Severity: Critical
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #mik317
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 10:04pm (UTC)
Path Traversal in App Proxy
π https://hackerone.com/reports/869888
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #ngalog
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 10:27pm (UTC)
π https://hackerone.com/reports/869888
πΉ Severity: Medium | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #ngalog
πΉ State: π’ Resolved
πΉ Disclosed: August 24, 2020, 10:27pm (UTC)
Prototype pollution attack (lodash)
π https://hackerone.com/reports/841380
πΉ Severity: Medium
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #macasun
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 9:26am (UTC)
π https://hackerone.com/reports/841380
πΉ Severity: Medium
πΉ Reported To: Node.js third-party modules
πΉ Reported By: #macasun
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 9:26am (UTC)
Recently added 'Country' field doesn't send email notification when changed
π https://hackerone.com/reports/961841
πΉ Severity: Low | π° 500 USD
πΉ Reported To: HackerOne
πΉ Reported By: #bugra
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 10:57am (UTC)
π https://hackerone.com/reports/961841
πΉ Severity: Low | π° 500 USD
πΉ Reported To: HackerOne
πΉ Reported By: #bugra
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 10:57am (UTC)
Ability to see password protected content by bypassing the password page of shopify preview URL for new development stores (as of August 17, 2020)
π https://hackerone.com/reports/961929
πΉ Severity: No Rating | π° 1,500 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 3:55pm (UTC)
π https://hackerone.com/reports/961929
πΉ Severity: No Rating | π° 1,500 USD
πΉ Reported To: Shopify
πΉ Reported By: #saltymermaid
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 3:55pm (UTC)
Stored XSS on Broken Themes via filename
π https://hackerone.com/reports/406289
πΉ Severity: Low | π° 300 USD
πΉ Reported To: WordPress
πΉ Reported By: #apapedulimu
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 3:56pm (UTC)
π https://hackerone.com/reports/406289
πΉ Severity: Low | π° 300 USD
πΉ Reported To: WordPress
πΉ Reported By: #apapedulimu
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 3:56pm (UTC)
Self XSS in Timeline
π https://hackerone.com/reports/854299
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #ryat
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 5:04pm (UTC)
π https://hackerone.com/reports/854299
πΉ Severity: No Rating | π° 500 USD
πΉ Reported To: Shopify
πΉ Reported By: #ryat
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 5:04pm (UTC)
Script Editor preview token still working with uninstalled application, even for unpublished script
π https://hackerone.com/reports/915940
πΉ Severity: No Rating | π° 2,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #francisbeaudoin
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 9:34pm (UTC)
π https://hackerone.com/reports/915940
πΉ Severity: No Rating | π° 2,000 USD
πΉ Reported To: Shopify
πΉ Reported By: #francisbeaudoin
πΉ State: π’ Resolved
πΉ Disclosed: August 25, 2020, 9:34pm (UTC)