We found results for “


Date: September 30, 2021


In Shuup, versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. This vulnerability exists due to the error page contents not escaped.


The “Shuup” application is affected by the “Reflected XSS” vulnerability on an error page. An attacker makes a csrf request and updates the victim's email account registered with the account to the attacker's email by sending a malicious link which leads to account takeover.

PoC Details

As the victim user, click on the malicious URL and the malicious payload will be executed.

PoC Code<script>alert(1)</script>

Affected Environments

PyPI Version Range: 1.6.0 through 2.10.8; Github Version Range: shoop/v2.0.0 through v2.10.8


Update to Shuup version 2.11.0

Language: Python

Good to know:


Cross-Site Scripting (XSS)


Upgrade Version

Upgrade to version shuup - 2.11.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: