CVE-2021-25962

Опубликовано: 29 сент. 2021

Источник: nvd

CVSS3: 8

CVSS3: 8.8

CVSS2: 6.8

EPSS Низкий

Описание

“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.

Ссылки

https://github.com/shuup/shuup/commit/0a2db392e8518410c282412561461cd8797eea51
Patch
Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25962
Third Party Advisory
https://github.com/shuup/shuup/commit/0a2db392e8518410c282412561461cd8797eea51
Patch
Third Party Advisory
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25962
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:shuup:shuup:*:*:*:*:*:*:*:*

Версия от 0.4.2 (включая) до 2.11.0 (исключая)

EPSS

Процентиль: 62%

0.00432

Низкий

8 High

CVSS3

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-1236

Связанные уязвимости

GHSA-663j-rjcr-789f

CVSS3: 8

github

больше 4 лет назад

CSV injection in shuup

EPSS

Процентиль: 62%

0.00432

Низкий

8 High

CVSS3

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-1236