1 admin add a user, or a user signup.
2 the user logins and edit himeself
3 the user change his realname as “=1+cmd|‘/C calc’!A0”
4 admin go to export the users as a csv file
5 admin open the csv and we can see that the calculator is opened.
see https://owasp.org/www-community/attacks/CSV_Injection to fix it.