CVE-2021-25962 — CSV injection in shuup

Description

“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.

How to fix CVE-2021-25962

To remediate CVE-2021-25962, upgrade the affected package to a fixed version below.

—upgrade to 2.11.0 or later
—upgrade to 0a2db392e8518410c282412561461cd8797eea51 or later

Is CVE-2021-25962 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 0.4.2, < 2.11.0
from 0, < 0a2db392e8518410c282412561461cd8797eea51 | >= 0.4.2, < 2.11.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (6)

ADVISORYgithub.com/advisories/GHSA-663j-rjcr-789f
ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-25962
PATCHgithub.com/shuup/shuup
WEBgithub.com/pypa/advisory-database/tree/main/vulns/shuup/PYSEC-2021-355.yaml