CVE-2021-25962

Name of the Vulnerable Software and Affected Versions Shuup versions 0.4.2 through 2.10.8

Description The issue allows a customer to inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed. This is related to a "Formula Injection" issue.

Recommendations For versions 0.4.2 through 2.10.8, consider restricting access to the billing address input field to prevent payload injection until a patch is available. As a temporary workaround, consider disabling the export of data as an Excel file from the reports page until the issue is resolved. Avoid using the name input field in the billing address for any critical operations until the vulnerability is fixed.