Описание
Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.
Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-66370
- https://github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4de
- https://github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9
- https://blog.kivitendo.de/?p=1415
- https://github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelog
- https://invoice.secvuln.info
Связанные уязвимости
CVSS3: 5
nvd
2 месяца назад
Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.