Early Access — Mondoo Vulnerability Intelligence is currently in preview.
Kivitendo before 3.9.2 allows XXE injection. By uploading an electronic invoice in the ZUGFeRD format, it is possible to read and exfiltrate files from the server's filesystem.
Exploitability
AV:NAC:LPR:LUI:NScope
S:CImpact
C:LI:NA:N5/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NInput Validation