CVE-2024-58335
XXE Vulnerability in OpenXRechnungToolbox Visualizer Component
Publication date: 2025-12-24
Last updated on: 2025-12-24
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jcthiele | openxrechnungtoolbox | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The provided resources do not include specific detection methods or commands to identify this XXE vulnerability in OpenXRechnungToolbox. Detection typically involves analyzing XML inputs for DOCTYPE declarations or testing the XML parser behavior, but no explicit commands or network detection techniques are given in the resources.
Can you explain this vulnerability to me?
This vulnerability is an XML External Entity (XXE) vulnerability in the OpenXRechnungToolbox software. It occurs because the XML parser does not have the 'disallow-doctype-decl' feature enabled, which allows processing of DOCTYPE declarations in XML inputs. Attackers can exploit this to inject external entities, potentially accessing sensitive files or data. The vulnerability is fixed by configuring the XML parser to disallow DOCTYPE declarations, preventing XXE attacks. [1]
How can this vulnerability impact me? :
This XXE vulnerability can allow attackers to read sensitive files from the system where the OpenXRechnungToolbox is running, potentially leading to data exposure. Since the vulnerability affects XML processing in electronic invoicing software, it could compromise the confidentiality of invoice data or other sensitive information processed by the tool. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability poses a risk to compliance with data protection regulations such as GDPR and HIPAA because it can lead to unauthorized access and exposure of sensitive personal or financial data processed by the invoicing software. Failure to mitigate such vulnerabilities may result in data breaches, which are subject to regulatory penalties and compliance violations. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this XXE vulnerability in OpenXRechnungToolbox, ensure that the XML parser disables processing of DOCTYPE declarations by enabling the feature "http://apache.org/xml/features/disallow-doctype-decl" to true in the DocumentBuilderFactory configuration. This can be done by updating the VisualizerImpl.java file as per the fix in commit 6c50e89, which sets this feature to true and enables namespace awareness. If you are using a version prior to the fix, update the software to include this patch or apply similar secure XML parsing configurations to prevent XXE attacks. [1]