OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability, which allows an attacker to read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).
