Description
A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the `shop` parameter on the `/shopify/auth/enable_cookies` endpoint.
Remediation
References
https://github.com/Shopify/quilt/pull/1455
https://hackerone.com/reports/881409
Related Vulnerabilities
CVE-2023-29522 Vulnerability in maven package org.xwiki.platform:xwiki-platform-xclass-ui
CVE-2022-40152 Vulnerability in maven package com.fasterxml.woodstox:woodstox-core
CVE-2018-14042 Vulnerability in maven package org.fujion.webjars:bootstrap
CVE-2023-26129 Vulnerability in npm package bwm-ng
CVE-2019-10744 Vulnerability in maven package org.webjars.bowergithub.lodash:lodash