2025-11-28 00:00:00
mitre
PUBLISHED
Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the servers filesystem.