csv_builder.rb in ActiveAdmin (aka Active Admin) prior to 3.2.0 allows CSV injection.
activeadmin active admin