GLPI up to and including 10.0.12 allows CSV injection by an attacker who is able to create an asset with a crafted title.