RSA Archer team has assessed this vulnerability report and determined it is not a vulnerability in our product, but rather a side effect of the CSV format. We believe that this issue should be mitigated by the application which would be interpreting the user-exported CSV file rather than by the application creating it. The penetration reports are often accompanied by resolutions suggesting the escape or removal of the formula trigger characters. These suggestions, however, modify data in RSA Archer which can result in hard-to-debug issues like duplicate records or reports of version/audit updates when such CSVs are later imported. At this time, our analysis has concluded the negative side effects of a change to RSA Archer for this issue does not benefit the majority of our customers. RSA Archer will update this article if any new information is available in the future. RSA Archer customers are recommended to follow security best practices documented here:
https://community.rsa.com/docs/DOC-94422