CVE-2021-25962

Improper Neutralization of Formula Elements in a CSV File in pypi/shuup

Identifier

CVE-2021-25962

Package Slug

pypi/shuup

Vulnerability

Improper Neutralization of Formula Elements in a CSV File

Description

“Shuup” application A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.

Affected Versions

All versions starting from 0.4.2 before 2.11.0

Solution

Upgrade to version 2.11.0 or above.

Last Modified

2021-10-10

source