Appointment Scheduler 3.0 is vulnerable to CSV Injection via a Language > Labels > Export action.
phpjabbers appointment scheduler 3.0