Insiders Technologies e-invoice pro Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Insiders Technologies GmbH's e-invoice pro, affecting versions prior to release 1 Service Pack 2. The issue allows remote attackers to disrupt service by sending crafted XML invoices that exploit the application's XML parser. This unvalidated processing can lead to excessive server resource consumption or unauthorized access to local server files, which could then be transmitted to an external system.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by overwhelming server resources, potentially leading to service interruptions. Additionally, the vulnerability allows for XML external entity (XXE) injection, which could be used to read local files or make network requests to an attacker-controlled server.

Reproduction

The vulnerability can be reproduced by sending a manipulated XML invoice that includes a Document Type Definition (DTD) allowing the inclusion of external entities. This crafted invoice can be processed by the e-invoice pro application, triggering the XML parser to execute the defined entities. For example, an invoice could be crafted to read local server files or send HTTP requests to an external server controlled by the attacker.

Remediation

Users are advised to update to e-invoice pro release 1 Service Pack 2 or higher.