GHSA-534c-hcr7-67jg: 
PHP vulnerability analysis and mitigation

A vulnerability (GHSA-534c-hcr7-67jg) was discovered in Kimai, affecting versions <= 2.20.1, which uses PHPSpreadsheet for importing and exporting invoices. The vulnerability is an XML External Entity (XXE) attack that could lead to local file read capabilities. The issue was published on September 17, 2024, and has been patched in version 2.21.0 (GitHub Advisory).

The vulnerability exists in the IOFactory::load function which utilizes simplexmlloadstring, making it susceptible to XXE attacks. The vulnerability is triggered through the render function in AbstractSpreadsheetRenderer.php. The issue has been assigned a CVSS v3.1 score of 8.5, indicating high severity, with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N (GitHub Advisory).

The vulnerability allows for Local File Read capabilities, and in certain edge cases where phar:// can be utilized with gadget chains, it could potentially lead to Remote Code Execution (RCE). The attack requires an administrator account and can be triggered by uploading a malicious XLSX template, which executes every time an invoice is generated (GitHub Advisory).

The vulnerability has been patched in Kimai version 2.21.0. Users are advised to upgrade to this version or later to mitigate the risk. The fix involved updating the PHPSpreadsheet dependency to a newer, secure version (GitHub Commit).