AttackFeed by Joe Wagner | Blind XXE in Electronic Invoice online tools (validator.invoice-portal.de, xrechnung.rib.de)  - Full Disclosure

Blind XXE in Electronic Invoice online tools (validator.invoice-portal.de, xrechnung.rib.de)  – Full Disclosure

Posted on By Joe-W No Comments on Blind XXE in Electronic Invoice online tools (validator.invoice-portal.de, xrechnung.rib.de)  – Full Disclosure
Alert Feeds

 

Posted by Hanno Böck on Feb 16

During tests of electronic invoicing tools, I discovered multiple XXE
and Blind XXE vulnerabilities in online tools parsing electronic
invoices in XML formats.

While most of the affected tools have fixed these vulnerabilities, two
online tools remain vulnerable to Blind XXE attacks, allowing
exfiltration of files. Disclosure to the affected operators happened
more than 90 days ago.

Vulnerable tools:

https://validator.invoice-portal.de/
 – Read More  – Full Disclosure 

You may also like

Alert Feeds
Defense in depth — the Microsoft way (part 94): SAFER (SRPv1 and AppLocker alias SRPv2) bypass for dummies  – Full Disclosure
December 22, 2025
Alert Feeds
Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group)  – Full Disclosure
January 6, 2026
Alert Feeds
HEUR.Backdoor.Win32.Poison.gen / Arbitrary Code Execution / MVID-2025-0701  – Full Disclosure
December 25, 2025
Alert Feeds
[KIS-2025-11] Open Journal Systems
December 28, 2025

Leave a Reply

AttackFeed by Joe Wagner
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.