CVE-2025-66370_CVE-2025-66370

5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Description

Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.

Basic Information

ID CVE-2025-66370

Source mitre

Published Nov 28, 2025 at 00:00

Modified Nov 28, 2025 at 03:33

Affected Product

Vendor kivitendo

Product kivitendo

Affected Versions kivitendo kivitendo 0

CWE Classification

CWE-611

References

{
    "lastseen": "",
    "description": "Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.",
    "published": "2025-11-28T00:00:00.000Z",
    "modified": "2025-11-28T03:33:34.182Z",
    "type": "cve",
    "title": "CVE-2025-66370",
    "source": "mitre",
    "references": "https://github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelog\nhttps://github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4de\nhttps://github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9\nhttps://blog.kivitendo.de/?p=1415",
    "id": "CVE-2025-66370",
    "bulletinFamily": "",
    "cwe": [
        "CWE-611"
    ],
    "cvelist": null,
    "sourceData": "kivitendo kivitendo 0",
    "sourceHref": "",
    "cvss": {
        "score": 5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "kivitendo",
    "version": "0",
    "vendor": "kivitendo",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}