CVE-2021-3985: 
PHP vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in kimai2 (CVE-2021-3985), affecting versions prior to 1.16.3. The vulnerability was related to improper neutralization of input during web page generation, specifically in the markdown processing functionality (NVD, CVE).

The vulnerability was identified with a CVSS v3.1 base score of 9.0 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. The issue stemmed from unsafe markdown processing that could allow injection of malicious content. The vulnerability was specifically related to the markdown parser's safe mode configuration, which wasn't properly enforced (NVD).

The vulnerability could allow an authenticated attacker to inject and execute arbitrary web script or HTML code through markdown content processing, potentially leading to the compromise of sensitive information or user session hijacking (NVD).

The vulnerability was patched in version 1.16.3 by enforcing safe mode in markdown processing and escaping markup. The fix includes setting both setSafeMode and setMarkupEscaped to true, preventing the processing of potentially malicious markdown content (GitHub Patch).