Melnicek

**Name of the Vulnerable Software and Affected Versions** Kimai versions 2.32.0 through 2.55.x **Description** Users with the `System-Admin` role (`ROLE SYSTE ADMIN`) and the `upload invoice template` permission can upload PDF invoice templates that execute `pdfContext.setOption('associated files', ...)` within the sandboxed Twig render. This request is forwarded to the `SetAssociatedFiles()` function of mPDF, which utilizes `file get contents($entry['path'])` during PDF output to embed bytes as a FlateDecode stream. Consequently, any file readable by the PHP worker can be retrieved by an attacker through the rendered invoice. **Recommendations** Update Kimai to version 2.56.0.