Prestashop 8.0.4 CSV injection

2023.06.07

Credit: Mirabbas Ağalarov

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Exploit Title: Prestashop 8.0.4 - CSV injection
Application: prestashop
Version: 8.0.4
Bugs:  CSV Injection
Technology: PHP
Vendor URL: https://prestashop.com/
Software Link: https://prestashop.com/prestashop-edition-basic/
Date of found: 14.05.2023
Author: Mirabbas Ağalarov
Tested on: Windows


2. Technical Details & POC
========================================
Step 1. login as user
step 2. Go to My Account then information ( http://localhost/index.php?controller=identity )
step 3. Set Email as  =calc|a!z|@test.com
step 3. If admin Export costumers as CSV  file ,in The computer of admin  occurs csv injection and will open calculator (http://localhost/admin07637b2omxxdbmhikgb/index.php/sell/customers/?_token=mtc1BTvq-Oab2lBdfCaxpOorYraGGVMiTFluJzOpkWI)

payload: =calc|a!z|@test.com

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Prestashop 8.0.4 CSV injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.