Miggo Logo

CVE-2021-25962: CSV injection in shuup

8

CVSS Score
3.1

Basic Information

EPSS Score
0.61826%
Published
9/30/2021
Updated
10/23/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
shuuppip>= 0.4.2, < 2.11.02.11.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized data handling in report exporters. The pre-patch code in writer.py directly used user-supplied data from report_data in both CSV and Excel writers without neutralizing formula-initiating characters. The commit adds remove_unsafe_chars() to strip =, +, and - characters, confirming these functions previously lacked critical sanitization. The injection occurs specifically when these writer classes process and export user-controlled billing address data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

“S*uup” *ppli**tion in v*rsions *.*.* to *.**.* is *****t** *y t** “*ormul* Inj**tion” vuln*r**ility. * *ustom*r **n inj**t p*ylo**s in t** n*m* input *i*l* in t** *illin* ***r*ss w*il* *uyin* * pro*u*t. W**n * stor* **ministr*tor ****ss*s t** r*port

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** **t* **n*lin* in r*port *xport*rs. T** pr*-p*t** *o** in writ*r.py *ir**tly us** us*r-suppli** **t* *rom r*port_**t* in *ot* *SV *n* *x**l writ*rs wit*out n*utr*lizin* *ormul*-initi*tin* ***r**t*rs. T** *ommit