GLPI through 10.0.12 allows CSV injection by an attacker who is able to create an asset with a crafted title.
{ "ubuntu_priority": "medium" }