8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-25962

GHSA ID

GHSA-663j-rjcr-789f

EPSS Score

0.61826%

CWE

CWE-1236

Published

9/30/2021

Updated

10/23/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-25962

CVE-2021-25962: CSV injection in shuup

“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.

(GitHub Advisory)

8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-25962

GHSA ID

GHSA-663j-rjcr-789f

EPSS Score

0.61826%

CWE

CWE-1236

Published

9/30/2021

Updated

10/23/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shuup	pip	>= 0.4.2, < 2.11.0	2.11.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsanitized data handling in report exporters. The pre-patch code in writer.py directly used user-supplied data from report_data in both CSV and Excel writers without neutralizing formula-initiating characters. The commit adds remove_unsafe_chars() to strip =, +, and - characters, confirming these functions previously lacked critical sanitization. The injection occurs specifically when these writer classes process and export user-controlled billing address data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

“S*uup” *ppli**tion in v*rsions *.*.* to *.**.* is *****t** *y t** “*ormul* Inj**tion” vuln*r**ility. * *ustom*r **n inj**t p*ylo**s in t** n*m* input *i*l* in t** *illin* ***r*ss w*il* *uyin* * pro*u*t. W**n * stor* **ministr*tor ****ss*s t** r*port

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** **t* **n*lin* in r*port *xport*rs. T** pr*-p*t** *o** in writ*r.py *ir**tly us** us*r-suppli** **t* *rom r*port_**t* in *ot* *SV *n* *x**l writ*rs wit*out n*utr*lizin* *ormul*-initi*tin* ***r**t*rs. T** *ommit

8

Basic Information

Concerned about an active attack path?

CVE-2021-25962: CSV injection in shuup

8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI