CVE-2021-43515: 
PHP vulnerability analysis and mitigation

CSV Injection (also known as Excel Macro Injection or Formula Injection) vulnerability exists in Kimai versions prior to 1.14.1. The vulnerability is tracked as CVE-2021-43515 and was discovered in the timesheet creation functionality. When creating a new timesheet, an attacker can inject malicious payloads into the Description field which will be executed when the data is exported to a CSV file (NVD, MITRE).

The vulnerability stems from improper neutralization of formula elements in CSV files (CWE-1236). When a user creates a new timesheet and enters malicious content in the Description field, this content is not properly sanitized when exporting to CSV format. The vulnerability has a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on a victim's system when the exported CSV file is opened in applications like Microsoft Excel. This could lead to unauthorized access, data theft, or system compromise (NVD).

The vulnerability has been patched in Kimai version 1.14.1. Users should upgrade to this version or later to protect against this vulnerability. The fix includes proper sanitization of DDE payloads in the CSV export functionality (GitHub).