Chat History CSV Export Excel Injection Vulnerability

I have found a vulnerability in the Chat History export function. If an attacker submits a special name (containing a system command) when chatting with an agent and that agent later exports the history of that chat to CSV, the resulting CSV may execute commands when opened. I have tested this using MS Excel 2013 on Windows 7. Proof of Concept: 1. Open the dashboard as an agent and go to "Visitor List". 2. Select "Simulate Visitor". (This vulnerability works in a real scenario as well, simulating a visitor is just the easiest way to reproduce it). 3. As the simulated visitor, edit your name to "-2+3+cmd|' /C calc'!G2" (without the double quotes). 4. End the chat. 5. Navigate to the "History" section, select the recent chat, click the "actions" button, select "export chat details", and input a viable email address. 6. Open the email and unpack the zip file. 7. Open the CSV in Excel. 8. A warning will show up warning the user to disable execution _unless_ he trusts the source of the file. The user may likely leave execution enable due to trusting the source (zopim). Click "enable". 9. A second warning will appear that states a similar message as the previous one ("only open if you trust the source..."). Click "yes" 10. The malicious code is executed - in this case it will just open the "calc" application. (Screenshot attached). Threat Level Estimation On one hand, this vulnerability can be pretty serious as it allows an attacker to execute arbitrary code as the current user. This can easily be used to download and install malware, establishing a firm foothold or to execute a pretty complex phishing attack (opening a browser, changing user settings, etc.) However, the severity of this attack is mitigated by the two warnings that I mentioned in the Proof of Concept. The warnings may be enough to dissuade the user from allowing Excel to execute the malicious code, although the both messages stress trusting the source and users have no reason to distrust zopim.com. Recommendation The "=" is already escaped properly, this escaping should be extended to the "-" and "+" characters as well. Let me know if I can help further. Thanks!