CVE-2021-25963

Advisory

Shuup 2.11.0 includes a fix for CVE-2021-25963: Shuup versions 1.6.0 through 2.10.8 are vulnerable to reflected Cross-Site Scripting (XSS) that allows execution of arbitrary javascript code on a victim browser. This vulnerability exists due to the error page contents not escaped.
https://github.com/shuup/shuup/commit/75714c37e32796eb7cbb0d977af5bcaa26573588
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25963

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Added

- GDPR: create a snippet blocker to prevent injection when cookie is not consented
- Xtheme: create `xtheme_snippet_blocker` provides to allow blocking a global script injection
- Xtheme: add name a `Snippet` object
- Reports: add CSV report writer

Fixed

- Front: fix so orders that are canceled can't be payed for
- General: fix critical vulnerability on views that were returning not escaped content making it open to XSS attacks
- Admin: fix code mirror destruction by node id

Changed

- Reports: clean malicius content from the HTML and CSV exporters
- Reports: prevent formulas from being exported in excel writer
- Tests: log errors into a log file
- Admin: hide email template button based on permission
- Reports: improve log when an importer fails

Resources

• https://pypi.org/project/shuup
• https://pyup.io/changelogs/shuup/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25963
• https://github.com/shuup/shuup/commit/75714c37e32796eb7cbb0d977af5bcaa26573588
• https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25963