[[IDOR]] via Changing the newsletter ID
[[API3-Broken Object Property Level Authorization (BOPLA)]] -> Excessive Data Exposure
[[API5 Broken Function Level Authorization (BFLA)]]
[[CSRF]] for unsubscribe option
[[XSS_HTML Injection]] https://testbuguser.myshopify.com/?contact[email]%20onfocus%3djavascript:alert(%27xss%27)%20autofocus%20a=a&form_type[a]aaa
https://testbuguser.myshopify.com/?contact[email]%20onfocus%3djavascript:alert(%27xss%27)%20autofocus%20a=a&form_type[a]aaa
Unverified User Can Post Newsletter -> https://hackerone.com/reports/1691603
BAC ->Fill the form with other's email -> https://hackerone.com/reports/145396
No Rate Limit -> No-Captcha -> Spam Victim -> https://hackerone.com/reports/145612
Host Header Injection ->https://hackerone.com/reports/229498
Last updated 2 years ago
