The Firmware
Monthly
CSV formula injection in the PrestaShop module 'The Firmware' version 8.2.1 enables an authenticated attacker to inject malicious spreadsheet expressions via the unsanitized 'Alias' parameter in the address update function. When a victim subsequently exports account data using the 'Get my data in CSV' feature and opens the file in a spreadsheet application, the injected formula executes in that application's context, potentially exfiltrating the victim's personal data or executing commands on their workstation. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 4.5 reflects the high-privilege and user-interaction prerequisites that constrain exploitability.
CSV formula injection in the PrestaShop module 'The Firmware' version 8.2.1 enables an authenticated attacker to inject malicious spreadsheet expressions via the unsanitized 'Alias' parameter in the address update function. When a victim subsequently exports account data using the 'Get my data in CSV' feature and opens the file in a spreadsheet application, the injected formula executes in that application's context, potentially exfiltrating the victim's personal data or executing commands on their workstation. No public exploit code or CISA KEV listing has been identified at time of analysis; the CVSS 4.0 score of 4.5 reflects the high-privilege and user-interaction prerequisites that constrain exploitability.