Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.
CVE-2025-66370: Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible t…
Kivitendo before version 3.9.2 is vulnerable to XXE injection via ZUGFeRD format electronic invoices, allowing file exfiltration from the server's filesystem.