Akaunting 3.1.21 - Authenticated stored XSS in document timeline

An authenticated attacker updates their profile name to include malicious HTML/JavaScript (e.g., `CVE-RESTORE-"><img src=x onerror=alert(document.domain)>`). When that user creates or cancels an invoice or bill, Akaunting stores the attacker-controlled name as the document owner. Another authenticated user viewing the document detail page triggers the payload because the timeline description is rendered as raw Blade output (`{!! $description !!}`) in the accordion header component [ref_id=1]. The attack requires only an authenticated session and the ability to edit one's own profile name.

The vulnerability resides in the profile update route (`admin/profile`), the `UpdateUser` job (`app/Jobs/Auth/UpdateUser.php:27-29`), and the Blade templates that render timeline descriptions as raw HTML (`resources/views/components/show/accordion/head.blade.php` uses `{!! $description !!}`). The document timeline components (`app/View/Components/Documents/Show/Create.php` and `Restore.php`) read the stored owner name and interpolate it into translated descriptions without sanitization.

The advisory states that no patch is currently available [ref_id=1]. To remediate the vulnerability, the application must either strip or encode HTML tags from the user name before storage, or escape the interpolated user name in the Blade templates by replacing `{!! $description !!}` with `{{ $description }}` to prevent raw HTML rendering.