CVE-2021-25962

HIGH

Shuup 0.4.2-2.10.8 - Code Injection

Title source: llm

Description

“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.

References (2)

[Third Party Advisory] https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25962

[Patch, Third Party Advisory] https://github.com/shuup/shuup/commit/0a2db392e8518410c282412561461cd8797eea51

View Patch ZIP pw:eip

Scores

CVSS v3 8.0

EPSS 0.0043

EPSS Percentile 62.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-1236

Status published

Products (2)

pypi/shuup 0.4.2 - 2.11.0PyPI

shuup/shuup 0.4.2 - 2.11.0

Published Sep 29, 2021

Tracked Since Feb 18, 2026