Search
Find a vulnerability
Search criteria
2 vulnerabilities found for kivitendo by kivitendo
CVE-2025-66370 (GCVE-0-2025-66370)
Vulnerability from nvd – Published: 2025-11-28 00:00 – Updated: 2026-01-15 06:46
VLAI
EPSS
VEX
Summary
Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.
Severity
5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66370",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T15:58:09.742349Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T15:58:38.456Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "kivitendo",
"vendor": "kivitendo",
"versions": [
{
"lessThan": "3.9.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server\u0027s filesystem."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T06:46:24.375Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelog"
},
{
"url": "https://github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4de"
},
{
"url": "https://github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9"
},
{
"url": "https://blog.kivitendo.de/?p=1415"
},
{
"url": "https://invoice.secvuln.info"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-66370",
"datePublished": "2025-11-28T00:00:00.000Z",
"dateReserved": "2025-11-28T00:00:00.000Z",
"dateUpdated": "2026-01-15T06:46:24.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66370 (GCVE-0-2025-66370)
Vulnerability from cvelistv5 – Published: 2025-11-28 00:00 – Updated: 2026-01-15 06:46
VLAI
EPSS
VEX
Summary
Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.
Severity
5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66370",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-28T15:58:09.742349Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-28T15:58:38.456Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "kivitendo",
"vendor": "kivitendo",
"versions": [
{
"lessThan": "3.9.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server\u0027s filesystem."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T06:46:24.375Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelog"
},
{
"url": "https://github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4de"
},
{
"url": "https://github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9"
},
{
"url": "https://blog.kivitendo.de/?p=1415"
},
{
"url": "https://invoice.secvuln.info"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-66370",
"datePublished": "2025-11-28T00:00:00.000Z",
"dateReserved": "2025-11-28T00:00:00.000Z",
"dateUpdated": "2026-01-15T06:46:24.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}