Description
A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.61-v3.1.62 that allows an attacker to inject JS payloads into the `shop` parameter on the `/shopify/auth/enable_cookies` endpoint.
Remediation
References
https://github.com/Shopify/quilt/pull/1455
https://hackerone.com/reports/881409
Related Vulnerabilities
CVE-2021-39235 Vulnerability in maven package org.apache.ozone:ozone-main
CVE-2022-24822 Vulnerability in npm package @podium/proxy
CVE-2021-29459 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web
CVE-2018-1000614 Vulnerability in maven package org.onosproject:onos-netconf-provider-alarm
CVE-2021-21295 Vulnerability in maven package io.netty:netty-codec-http2