CVE-2025-66370
- Source
- https://cve.org/CVERecord?id=CVE-2025-66370
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66370.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-66370
- Published
- 2025-11-28T04:16:01.110Z
- Modified
- 2026-03-15T22:51:35.019404Z
- Severity
-
- 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.
- References
-
- https://invoice.secvuln.info
- https://github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelog
- https://github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4de
- https://github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9
- https://blog.kivitendo.de/?p=1415
Affected packages
Git / github.com/kivitendo/kivitendo-erp
Affected versions
release-2.*
release-2.2.0
release-2.4.2
release-2.6.0
release-2.6.0beta1
release-2.6.0rc1
release-2.6.1
release-2.6.1beta1
release-2.6.2
release-2.6.2beta1
release-2.6.2beta2
release-2.6.3
release-2.7.0
release-2.7.0beta1
release-2.7.0beta2
release-2.7.0rc1
release-3.*
release-3.0.0
release-3.0.0beta1
release-3.0.0beta2
release-3.0.0beta3
release-3.0.0rc1
release-3.1.0
release-3.1.0beta1
release-3.1.0rc1
release-3.2.0
release-3.2.0beta
release-3.2.1
release-3.3.0
release-3.3.0beta
release-3.4.0
release-3.4.1
release-3.5.0
release-3.5.0alpha
release-3.5.0beta
release-3.5.1
release-3.5.1beta
release-3.5.2
release-3.5.3
release-3.5.4
release-3.5.4beta
release-3.5.5
release-3.5.6
release-3.5.6.1
release-3.5.7
release-3.5.8
release-3.6.0
release-3.6.0beta
release-3.6.1
release-3.7.0
release-3.8.0
release-3.8.0beta
release-3.9.0
release-3.9.0beta
release-3.9.1
release-3.9.2beta2