CVE-2021-25962 HIGH

CVE-2021-25962: Shuup - Formula Injection in Checkout Addresses

Vendor Shuup
Product shuup
Weakness CWE-1236
Published September 29, 2021
Last update September 17, 2024

CVSS base score

8.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.

Key dates

02Disclosure timeline

September 29, 2021 CVE published
September 17, 2024 Record updated