Malicious input can inject formulas into CSV files, opening up the possibility for phishing attacks and
disclosure of sensitive information.
Additionally, Excel exposes the ability to launch arbitrary commands through the DDE protocol.
See also:
http://www.contextis.com/resources/blog/comma-separated-vulnerabilities/