Description
A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the `shop` parameter on the `/shopify/auth/enable_cookies` endpoint.
Remediation
References
https://github.com/Shopify/quilt/pull/1455
https://hackerone.com/reports/881409
Related Vulnerabilities
CVE-2021-30109 Vulnerability in npm package froala-editor
CVE-2017-3202 Vulnerability in maven package com.exadel.flamingo.flex:amf-serializer
CVE-2020-36188 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2020-14966 Vulnerability in npm package jsrsasign
CVE-2010-0684 Vulnerability in maven package org.apache.activemq:activemq-web