CVE-2025-66370

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-66370

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-66370.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-66370

Published

2025-11-28T04:16:01.110Z

Modified

2025-12-03T15:24:25.375095Z

Severity

5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.

References

Affected packages

Git / github.com/kivitendo/kivitendo-erp

Affected ranges

Type: GIT
Repo: https://github.com/kivitendo/kivitendo-erp
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1286dee72f9919166178d0cdb5f52f13b0f7d4de

Fixed

f6ba56bd8d22a428534057589baace6b7bfdf2e9

Affected versions

release-2.*

release-2.2.0

release-2.4.2

release-2.6.0

release-2.6.0beta1

release-2.6.0rc1

release-2.6.1

release-2.6.1beta1

release-2.6.2

release-2.6.2beta1

release-2.6.2beta2

release-2.6.3

release-2.7.0

release-2.7.0beta1

release-2.7.0beta2

release-2.7.0rc1

release-3.*

release-3.0.0

release-3.0.0beta1

release-3.0.0beta2

release-3.0.0beta3

release-3.0.0rc1

release-3.1.0

release-3.1.0beta1

release-3.1.0rc1

release-3.2.0

release-3.2.0beta

release-3.2.1

release-3.3.0

release-3.3.0beta

release-3.4.0

release-3.4.1

release-3.5.0

release-3.5.0alpha

release-3.5.0beta

release-3.5.1

release-3.5.1beta

release-3.5.2

release-3.5.3

release-3.5.4

release-3.5.4beta

release-3.5.5

release-3.5.6

release-3.5.6.1

release-3.5.7

release-3.5.8

release-3.6.0

release-3.6.0beta

release-3.6.1

release-3.7.0

release-3.8.0

release-3.8.0beta

release-3.9.0

release-3.9.0beta

release-3.9.1