CVE-2024-58335
Unknown Unknown - Not Provided
XXE Vulnerability in OpenXRechnungToolbox Visualizer Component

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: MITRE

Description
OpenXRechnungToolbox through 2024-10-05-3.0.0 before 6c50e89 allows XXE because the disallow-doctype-decl feature is not enabled in visualization/VisualizerImpl.java.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-06-16
AI Q&A
2025-12-24
EPSS Evaluated
2026-06-15
NVD
CVE-2024-58335
EUVD
EUVD-2025-205032
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jcthiele openxrechnungtoolbox *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

The provided resources do not include specific detection methods or commands to identify this XXE vulnerability in OpenXRechnungToolbox. Detection typically involves analyzing XML inputs for DOCTYPE declarations or testing the XML parser behavior, but no explicit commands or network detection techniques are given in the resources.

Executive Summary

This vulnerability is an XML External Entity (XXE) vulnerability in the OpenXRechnungToolbox software. It occurs because the XML parser does not have the 'disallow-doctype-decl' feature enabled, which allows processing of DOCTYPE declarations in XML inputs. Attackers can exploit this to inject external entities, potentially accessing sensitive files or data. The vulnerability is fixed by configuring the XML parser to disallow DOCTYPE declarations, preventing XXE attacks. [1]

Impact Analysis

This XXE vulnerability can allow attackers to read sensitive files from the system where the OpenXRechnungToolbox is running, potentially leading to data exposure. Since the vulnerability affects XML processing in electronic invoicing software, it could compromise the confidentiality of invoice data or other sensitive information processed by the tool. [1, 2]

Compliance Impact

The vulnerability poses a risk to compliance with data protection regulations such as GDPR and HIPAA because it can lead to unauthorized access and exposure of sensitive personal or financial data processed by the invoicing software. Failure to mitigate such vulnerabilities may result in data breaches, which are subject to regulatory penalties and compliance violations. [2]

Mitigation Strategies

To mitigate this XXE vulnerability in OpenXRechnungToolbox, ensure that the XML parser disables processing of DOCTYPE declarations by enabling the feature "http://apache.org/xml/features/disallow-doctype-decl" to true in the DocumentBuilderFactory configuration. This can be done by updating the VisualizerImpl.java file as per the fix in commit 6c50e89, which sets this feature to true and enables namespace awareness. If you are using a version prior to the fix, update the software to include this patch or apply similar secure XML parsing configurations to prevent XXE attacks. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-58335. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart