Search criteria
6 vulnerabilities found for shuup by shuup
FKIE_CVE-2021-25963
Vulnerability from fkie_nvd - Published: 2021-09-30 08:15 - Updated: 2024-11-21 05:55
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. This vulnerability exists due to the error page contents not escaped.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:shuup:shuup:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9D5824DD-A1E4-405E-8137-A84852041A3D",
"versionEndIncluding": "2.10.8",
"versionStartIncluding": "1.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. This vulnerability exists due to the error page contents not escaped."
},
{
"lang": "es",
"value": "En Shuup, versiones 1.6.0 hasta 2.10.8, son vulnerables a una ataque de tipo Cross-Site Scripting (XSS) reflejado que permite una ejecuci\u00f3n de c\u00f3digo javascript arbitrario en un navegador v\u00edctima. Esta vulnerabilidad se presenta debido a que el contenido de la p\u00e1gina de error no se escapa"
}
],
"id": "CVE-2021-25963",
"lastModified": "2024-11-21T05:55:41.190",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "vulnerabilitylab@mend.io",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-30T08:15:06.357",
"references": [
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/shuup/shuup/commit/75714c37e32796eb7cbb0d977af5bcaa26573588"
},
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Third Party Advisory"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25963"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/shuup/shuup/commit/75714c37e32796eb7cbb0d977af5bcaa26573588"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25963"
}
],
"sourceIdentifier": "vulnerabilitylab@mend.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "vulnerabilitylab@mend.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-25962
Vulnerability from fkie_nvd - Published: 2021-09-29 14:15 - Updated: 2024-11-21 05:55
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:shuup:shuup:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A567FB15-5A66-4FD9-A3FE-1C25B31CAA55",
"versionEndExcluding": "2.11.0",
"versionStartIncluding": "0.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\u201cShuup\u201d application in versions 0.4.2 to 2.10.8 is affected by the \u201cFormula Injection\u201d vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed."
},
{
"lang": "es",
"value": "La aplicaci\u00f3n \"Shuup\" en versiones 0.4.2 a 2.10.8, est\u00e1 afectada por una vulnerabilidad \"Formula Injection\". Un cliente puede inyectar cargas \u00fatiles en el campo name input en la direcci\u00f3n de facturaci\u00f3n mientras compra un producto. Cuando un administrador de la tienda accede a la p\u00e1gina de informes para exportar los datos como un archivo de Excel y lo abre, la carga \u00fatil es ejecutada\n"
}
],
"id": "CVE-2021-25962",
"lastModified": "2024-11-21T05:55:41.060",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "vulnerabilitylab@mend.io",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-29T14:15:08.070",
"references": [
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/shuup/shuup/commit/0a2db392e8518410c282412561461cd8797eea51"
},
{
"source": "vulnerabilitylab@mend.io",
"tags": [
"Third Party Advisory"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25962"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/shuup/shuup/commit/0a2db392e8518410c282412561461cd8797eea51"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25962"
}
],
"sourceIdentifier": "vulnerabilitylab@mend.io",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1236"
}
],
"source": "vulnerabilitylab@mend.io",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1236"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2021-25963 (GCVE-0-2021-25963)
Vulnerability from cvelistv5 – Published: 2021-09-30 07:50 – Updated: 2025-04-30 16:26
VLAI?
Title
Shuup - Reflected XSS in Error Page
Summary
In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. This vulnerability exists due to the error page contents not escaped.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:18.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25963"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/shuup/shuup/commit/75714c37e32796eb7cbb0d977af5bcaa26573588"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-25963",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T16:10:40.078289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T16:26:18.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "shuup",
"vendor": "shuup",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.6.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. This vulnerability exists due to the error page contents not escaped."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-30T07:50:11.000Z",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25963"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shuup/shuup/commit/75714c37e32796eb7cbb0d977af5bcaa26573588"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.11.0"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "Shuup - Reflected XSS in Error Page",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "2021-09-28T07:42:00.000Z",
"ID": "CVE-2021-25963",
"STATE": "PUBLIC",
"TITLE": "Shuup - Reflected XSS in Error Page"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "shuup",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.6.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.10.8 +1"
}
]
}
}
]
},
"vendor_name": "shuup"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. This vulnerability exists due to the error page contents not escaped."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25963",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25963"
},
{
"name": "https://github.com/shuup/shuup/commit/75714c37e32796eb7cbb0d977af5bcaa26573588",
"refsource": "MISC",
"url": "https://github.com/shuup/shuup/commit/75714c37e32796eb7cbb0d977af5bcaa26573588"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.11.0"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"defect": [],
"discovery": "UNKNOWN"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2021-25963",
"datePublished": "2021-09-30T07:50:11.121Z",
"dateReserved": "2021-01-22T00:00:00.000Z",
"dateUpdated": "2025-04-30T16:26:18.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25962 (GCVE-0-2021-25962)
Vulnerability from cvelistv5 – Published: 2021-09-29 13:55 – Updated: 2024-09-17 02:11
VLAI?
Title
Shuup - Formula Injection in Checkout Addresses
Summary
“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25962"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/shuup/shuup/commit/0a2db392e8518410c282412561461cd8797eea51"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "shuup",
"vendor": "shuup",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0.4.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "\u201cShuup\u201d application in versions 0.4.2 to 2.10.8 is affected by the \u201cFormula Injection\u201d vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-29T13:55:10",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25962"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shuup/shuup/commit/0a2db392e8518410c282412561461cd8797eea51"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.11.0"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "Shuup - Formula Injection in Checkout Addresses",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "2021-09-25T12:08:00.000Z",
"ID": "CVE-2021-25962",
"STATE": "PUBLIC",
"TITLE": "Shuup - Formula Injection in Checkout Addresses"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "shuup",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "0.4.2"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.10.8 +1"
}
]
}
}
]
},
"vendor_name": "shuup"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "\u201cShuup\u201d application in versions 0.4.2 to 2.10.8 is affected by the \u201cFormula Injection\u201d vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1236"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25962",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25962"
},
{
"name": "https://github.com/shuup/shuup/commit/0a2db392e8518410c282412561461cd8797eea51",
"refsource": "MISC",
"url": "https://github.com/shuup/shuup/commit/0a2db392e8518410c282412561461cd8797eea51"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.11.0"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"defect": [],
"discovery": "UNKNOWN"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2021-25962",
"datePublished": "2021-09-29T13:55:10.208119Z",
"dateReserved": "2021-01-22T00:00:00",
"dateUpdated": "2024-09-17T02:11:12.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25963 (GCVE-0-2021-25963)
Vulnerability from nvd – Published: 2021-09-30 07:50 – Updated: 2025-04-30 16:26
VLAI?
Title
Shuup - Reflected XSS in Error Page
Summary
In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. This vulnerability exists due to the error page contents not escaped.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:18.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25963"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/shuup/shuup/commit/75714c37e32796eb7cbb0d977af5bcaa26573588"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-25963",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T16:10:40.078289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T16:26:18.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "shuup",
"vendor": "shuup",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "1.6.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. This vulnerability exists due to the error page contents not escaped."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-30T07:50:11.000Z",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25963"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shuup/shuup/commit/75714c37e32796eb7cbb0d977af5bcaa26573588"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.11.0"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "Shuup - Reflected XSS in Error Page",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "2021-09-28T07:42:00.000Z",
"ID": "CVE-2021-25963",
"STATE": "PUBLIC",
"TITLE": "Shuup - Reflected XSS in Error Page"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "shuup",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "1.6.0"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.10.8 +1"
}
]
}
}
]
},
"vendor_name": "shuup"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. This vulnerability exists due to the error page contents not escaped."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25963",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25963"
},
{
"name": "https://github.com/shuup/shuup/commit/75714c37e32796eb7cbb0d977af5bcaa26573588",
"refsource": "MISC",
"url": "https://github.com/shuup/shuup/commit/75714c37e32796eb7cbb0d977af5bcaa26573588"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.11.0"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"defect": [],
"discovery": "UNKNOWN"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2021-25963",
"datePublished": "2021-09-30T07:50:11.121Z",
"dateReserved": "2021-01-22T00:00:00.000Z",
"dateUpdated": "2025-04-30T16:26:18.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25962 (GCVE-0-2021-25962)
Vulnerability from nvd – Published: 2021-09-29 13:55 – Updated: 2024-09-17 02:11
VLAI?
Title
Shuup - Formula Injection in Checkout Addresses
Summary
“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:19:19.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25962"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/shuup/shuup/commit/0a2db392e8518410c282412561461cd8797eea51"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "shuup",
"vendor": "shuup",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0.4.2",
"versionType": "custom"
}
]
}
],
"datePublic": "2021-09-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "\u201cShuup\u201d application in versions 0.4.2 to 2.10.8 is affected by the \u201cFormula Injection\u201d vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-29T13:55:10",
"orgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"shortName": "Mend"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25962"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/shuup/shuup/commit/0a2db392e8518410c282412561461cd8797eea51"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.11.0"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"discovery": "UNKNOWN"
},
"title": "Shuup - Formula Injection in Checkout Addresses",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com",
"DATE_PUBLIC": "2021-09-25T12:08:00.000Z",
"ID": "CVE-2021-25962",
"STATE": "PUBLIC",
"TITLE": "Shuup - Formula Injection in Checkout Addresses"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "shuup",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003e=",
"version_name": "",
"version_value": "0.4.2"
},
{
"platform": "",
"version_affected": "\u003c=",
"version_name": "",
"version_value": "2.10.8 +1"
}
]
}
}
]
},
"vendor_name": "shuup"
}
]
}
},
"configuration": [],
"credit": [],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "\u201cShuup\u201d application in versions 0.4.2 to 2.10.8 is affected by the \u201cFormula Injection\u201d vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1236"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25962",
"refsource": "MISC",
"url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25962"
},
{
"name": "https://github.com/shuup/shuup/commit/0a2db392e8518410c282412561461cd8797eea51",
"refsource": "MISC",
"url": "https://github.com/shuup/shuup/commit/0a2db392e8518410c282412561461cd8797eea51"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.11.0"
}
],
"source": {
"advisory": "https://www.whitesourcesoftware.com/vulnerability-database/",
"defect": [],
"discovery": "UNKNOWN"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff",
"assignerShortName": "Mend",
"cveId": "CVE-2021-25962",
"datePublished": "2021-09-29T13:55:10.208119Z",
"dateReserved": "2021-01-22T00:00:00",
"dateUpdated": "2024-09-17T02:11:12.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}