CVE-2025-66370 | THREATINT

Description

Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.

PUBLISHED Reserved 2025-11-28 | Published 2025-11-28 | Updated 2025-11-28 | Assigner mitre

MEDIUM: 5.0CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Problem types

CWE-611 Improper Restriction of XML External Entity Reference

Product status

Default status

unaffected

Any version before 3.9.2

affected

References

github.com/...c731cbcaa5eb87d55df7c82df4df9c09/doc/changelog

github.com/...ommit/1286dee72f9919166178d0cdb5f52f13b0f7d4de

github.com/...ommit/f6ba56bd8d22a428534057589baace6b7bfdf2e9

blog.kivitendo.de/?p=1415

cve.org (CVE-2025-66370)

nvd.nist.gov (CVE-2025-66370)

Download JSON