Overview
CVE-2025-66370 identifies an XML External Entity (XXE) injection vulnerability in Kivitendo ERP versions prior to 3.9.2. This flaw allows a remote attacker to potentially read sensitive files from the server’s file system by exploiting the processing of electronic invoices in the ZUGFeRD format. By uploading a crafted, malicious ZUGFeRD invoice, an attacker can inject arbitrary XML entities that instruct the server to access and disclose local files.
Technical Details
The vulnerability stems from insufficient sanitization of XML input when processing ZUGFeRD invoices. ZUGFeRD is a standard format for electronic invoices in Germany that leverages XML for data representation. The Kivitendo application, while parsing the XML, fails to properly disable or restrict external entity resolution. This allows an attacker to embed malicious XML entities within the ZUGFeRD invoice that point to local files (e.g., /etc/passwd). When the server processes the invoice, it attempts to resolve these external entities, effectively reading the specified files and potentially exposing their contents.
CVSS Analysis
- CVE ID: CVE-2025-66370
- Severity: MEDIUM
- CVSS Score: 5.0
A CVSS score of 5.0 indicates a Medium severity vulnerability. The attack requires user interaction (uploading the malicious invoice) and the impact is primarily related to information disclosure (reading files). The exploit is relatively straightforward to execute once the vulnerable endpoint is identified.
Possible Impact
Successful exploitation of this XXE vulnerability can lead to:
- File Exfiltration: An attacker can read sensitive configuration files, database credentials, or other critical data stored on the server.
- Information Disclosure: Compromised data can be used for further attacks, such as privilege escalation or lateral movement within the network.
- Denial of Service (Potentially): While less likely, excessive or poorly crafted XXE payloads could potentially lead to resource exhaustion and temporary denial of service.
Mitigation and Patch Steps
To mitigate this vulnerability, it is strongly recommended to update Kivitendo ERP to version 3.9.2 or later. The patch includes improved XML parsing and security measures to prevent XXE injection attacks. Apply the following steps:
- Upgrade Kivitendo: The primary mitigation is to upgrade to Kivitendo ERP version 3.9.2 or a more recent release.
- Verify Configuration: After upgrading, verify that XML processing settings are configured to disable external entity resolution. While the patch should handle this, double-checking is prudent.
- Web Application Firewall (WAF): Consider deploying a Web Application Firewall (WAF) to filter out potentially malicious XML payloads before they reach the Kivitendo application. Configure WAF rules to detect and block XML entities that attempt to access local files.
- Input Validation: Implement robust input validation and sanitization for all user-supplied data, particularly when processing XML files.
