CVE-2021-25962: 
Python vulnerability analysis and mitigation

The Shuup application versions 0.4.2 to 2.10.8 is affected by a Formula Injection vulnerability. This security flaw was disclosed on September 29, 2021, and allows customers to inject malicious payloads through the name input field in the billing address during product purchases (WhiteSource DB, NVD).

The vulnerability allows formula injection attacks through the billing address name field during checkout. The payload becomes active when a store administrator exports data as an Excel file from the reports page and opens it. The vulnerability has been assigned a CVSS v3.1 base score of 8.0, with Network attack vector, Low attack complexity, Low privileges required, and Required user interaction. The scope is unchanged, but the potential impact on confidentiality, integrity, and availability is rated as High (WhiteSource DB).

When successfully exploited, the vulnerability can lead to the execution of malicious formulas in Excel files, potentially compromising the confidentiality and integrity of the system. The attack can result in unauthorized data access and potential system manipulation when a store administrator opens an exported report containing the malicious payload (WhiteSource DB).

The vulnerability has been patched in Shuup version 2.11.0. Users are advised to upgrade to this version or higher to mitigate the risk. The fix includes cleaning malicious content from HTML and CSV exporters, as evidenced by the implementation of safety measures to remove unsafe characters from the data (GitHub Commit).