High severityNVD Advisory· Published Sep 29, 2021· Updated Sep 17, 2024
Shuup - Formula Injection in Checkout Addresses
CVE-2021-25962
Description
“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shuupPyPI | >= 0.4.2, < 2.11.0 | 2.11.0 |
Affected products
1Patches
10a2db392e851Reports: clean malicius content from the HTML and CSV exporters
2 files changed · +14 −5
CHANGELOG.md+1 −0 modified@@ -14,6 +14,7 @@ List all changes after the last release here (newer on top). Each change on a se ### Changed +- Reports: clean malicius content from the HTML and CSV exporters - Reports: prevent formulas from being exported in excel writer - Tests: log errors into a log file - Admin: hide email template button based on permission
shuup/reports/writer.py+13 −5 modified@@ -5,6 +5,7 @@ # # This source code is licensed under the OSL-3.0 license found in the # LICENSE file in the root directory of this source tree. +import bleach import csv import six from babel.dates import format_datetime @@ -154,6 +155,13 @@ def format_data(data, format_iso_dates=False, format_money_values=False): return data +def remove_unsafe_chars(data): + if isinstance(data, str): + return "".join([char for char in data if char not in ("=", "+", "-")]) + + return data + + class CSVReportWriter(ReportWriter): content_type = "text/csv" extension = ".csv" @@ -170,12 +178,12 @@ def write_data_table(self, report, report_data, has_totals=True): self.data.append([c["title"] for c in report.schema]) for datum in report_data: datum = report.read_datum(datum) - self.data.append([format_data(data, format_iso_dates=True) for data in datum]) + self.data.append([format_data(remove_unsafe_chars(data), format_iso_dates=True) for data in datum]) if has_totals: for datum in report.get_totals(report_data): datum = report.read_datum(datum) - self.data.append([format_data(data) for data in datum]) + self.data.append([format_data(remove_unsafe_chars(data)) for data in datum]) def get_rendered_output(self): f = StringIO() @@ -206,13 +214,13 @@ def write_data_table(self, report, report_data, has_totals=True): self.worksheet.append([c["title"] for c in report.schema]) for datum in report_data: datum = report.read_datum(datum) - self.worksheet.append([format_data(data) for data in datum]) + self.worksheet.append([format_data(remove_unsafe_chars(data)) for data in datum]) self._convert_row_to_string() if has_totals: for datum in report.get_totals(report_data): datum = report.read_datum(datum) - self.worksheet.append([format_data(data) for data in datum]) + self.worksheet.append([format_data(remove_unsafe_chars(data)) for data in datum]) self._convert_row_to_string() def write_page_heading(self, text): @@ -264,7 +272,7 @@ def _w_raw(self, content): self.output.append(mark_safe(content)) def _w(self, content): - self.output.append(format_data(content, format_money_values=True)) + self.output.append(bleach.clean(str(format_data(content, format_money_values=True)), strip=True)) def _w_tag(self, tag, content): self._w_raw("<%s>" % tag)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-663j-rjcr-789fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25962ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/shuup/PYSEC-2021-355.yamlghsaWEB
- github.com/shuup/shuup/commit/0a2db392e8518410c282412561461cd8797eea51ghsax_refsource_MISCWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25962ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.