CVE-2021-44565: 
PHP vulnerability analysis and mitigation

A Cross Site Scripting (XSS) vulnerability exists in RosarioSIS before version 7.6.1. The vulnerability is present in the xss_clean function in classes/Security.php, which allows remote malicious users to inject arbitrary JavaScript or HTML. The vulnerability affects all Markdown input fields in the application (NVD).

The vulnerability stems from insufficient input validation in the xss_clean function, which was derived from CodeIgniter 2.1.3's security class. The function is used to sanitize user input from Markdown and other input fields but contains a bypass that allows XSS attacks. The vulnerability has a CVSS v3.1 Base Score of 5.4 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows attackers to execute arbitrary JavaScript or HTML code in the context of other users' browsers. This could lead to theft of sensitive information, session hijacking, or other malicious actions that could compromise user accounts and data (GitLab Issue).

The vulnerability has been fixed in RosarioSIS version 7.6.1. Users should upgrade to this version or later to protect against this vulnerability. The fix involved updating the CodeIgniter Security class implementation used for XSS filtering (RosarioSIS Changes).