CVE-2021-25962: CSV injection in shuup
(updated )
“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.
References
- github.com/advisories/GHSA-663j-rjcr-789f
- github.com/pypa/advisory-database/tree/main/vulns/shuup/PYSEC-2021-355.yaml
- github.com/shuup/shuup
- github.com/shuup/shuup/commit/0a2db392e8518410c282412561461cd8797eea51
- nvd.nist.gov/vuln/detail/CVE-2021-25962
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25962
Detect and mitigate CVE-2021-25962 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →