AttackFeed by Joe Wagner | Blind XXE in Electronic Invoice online tools (validator.invoice-portal.de, xrechnung.rib.de)  - Full Disclosure

Blind XXE in Electronic Invoice online tools (validator.invoice-portal.de, xrechnung.rib.de)  – Full Disclosure

Posted on By Joe-W
Alert Feeds

 

Posted by Hanno Böck on Feb 16

During tests of electronic invoicing tools, I discovered multiple XXE
and Blind XXE vulnerabilities in online tools parsing electronic
invoices in XML formats.

While most of the affected tools have fixed these vulnerabilities, two
online tools remain vulnerable to Blind XXE attacks, allowing
exfiltration of files. Disclosure to the affected operators happened
more than 90 days ago.

Vulnerable tools:

https://validator.invoice-portal.de/
 – Read More  – Full Disclosure 

You may also like

AttackFeed by Joe Wagner | APPLE-SA-03-24-2026-2 iOS 18.7.7 and iPadOS 18.7.7  - Full Disclosure
Alert Feeds
APPLE-SA-03-24-2026-2 iOS 18.7.7 and iPadOS 18.7.7  – Full Disclosure
March 28, 2026
AttackFeed by Joe Wagner | Re: SEC Consult SA-20260427-0 :: Missing TLS Certificate Validation leading to RCE in DeskTime Time Tracking App  - Full Disclosure
Alert Feeds
Re: SEC Consult SA-20260427-0 :: Missing TLS Certificate Validation leading to RCE in DeskTime Time Tracking App  – Full Disclosure
April 29, 2026
AttackFeed by Joe Wagner | [KIS-2026-04] SmarterMail
Alert Feeds
[KIS-2026-04] SmarterMail
February 22, 2026
AttackFeed by Joe Wagner | Research: When Trusted Tools Become Attack Primitives  - Full Disclosure
Alert Feeds
Research: When Trusted Tools Become Attack Primitives  – Full Disclosure
April 29, 2026