Shopify Partners Invitation Process Allows Privilege Escalation Without Email Verification

Bug reported by Ahmed Ghallab was disclosed at May 15, 2025, 6:25 pm   |   Improper Access Control - Generic

The Shopify Partners invitation process allowed privilege escalation without email verification. The vulnerability permitted unauthorized users to gain access to Shopify Partners accounts and escalate their privileges by creating accounts using the email addresses of invited owners and accepting the invitations.

Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo& args) when args[0] is a string.

Bug reported by Justin Nietzel was disclosed at May 15, 2025, 1:30 pm   |   Memory Corruption - Generic

In Node.js, the `ReadFileUtf8` internal binding was found to have a memory leak due to a corrupted pointer in `uv_fs_s.file`. A UTF-16 path buffer was allocated and subsequently overwritten when the file descriptor was set, leading to an unrecoverable memory leak on every call.

[Xenoblade Chronicles X: Definitive Edition] Unrestricted RPCs allow DoS and writing arbitrary flags remotely

Bug reported by Rocco was disclosed at May 15, 2025, 12:11 am   |   Resource Injection

The Xenoblade Chronicles X: Definitive Edition vulnerability allowed attackers to perform Denial-of-Service (DoS) attacks and write arbitrary flags remotely due to unrestricted Remote Procedure Calls (RPCs).

[Xenoblade Chronicles X: Definitive Edition] Improper validation of names allows injecting formatting tags and bypassing profanity filter

Bug reported by Rocco was disclosed at May 15, 2025, 12:11 am   |  

The vulnerability in Xenoblade Chronicles X: Definitive Edition allowed improper validation of names, enabling the injection of formatting tags and bypassing the profanity filter.