CVE-2024-58335
📋 TL;DR
OpenXRechnungToolbox contains an XML External Entity (XXE) vulnerability in its visualization component that allows attackers to read arbitrary files from the server filesystem. This affects all users running vulnerable versions of the software. The vulnerability exists because the disallow-doctype-decl feature is not properly enabled in the XML parser.
💻 Affected Systems
- OpenXRechnungToolbox
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through file disclosure, potentially leading to credential theft, sensitive data exposure, and further system compromise.
Likely Case
Unauthorized file read access to server files, potentially exposing configuration files, credentials, or sensitive business data.
If Mitigated
Limited impact with proper input validation and XML parser hardening, potentially preventing exploitation entirely.
🎯 Exploit Status
XXE vulnerabilities are well-understood and typically easy to exploit with standard XXE payloads
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 6c50e8979924b09f336c976cbad3a9ebfe25ebf9 and later
Vendor Advisory: https://invoice.secvuln.info
Restart Required: Yes
Instructions:
1. Update to latest version from GitHub repository
2. Apply commit 6c50e8979924b09f336c976cbad3a9ebfe25ebf9
3. Restart the application service
4. Verify the fix by testing XML processing functionality
🔧 Temporary Workarounds
XML Parser Hardening
allManually enable disallow-doctype-decl feature in XML parser configuration
Modify visualization/VisualizerImpl.java to set FEATURE_SECURE_PROCESSING = true and DISALLOW_DOCTYPE_DECL = true
🧯 If You Can't Patch
- Implement strict input validation to reject XML containing external entity declarations
- Deploy network segmentation to limit access to vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Check if running version earlier than commit 6c50e89 and examine if FEATURE_SECURE_PROCESSING and DISALLOW_DOCTYPE_DECL are disabled in visualization/VisualizerImpl.javaCheck Version:
git log --oneline -1Verify Fix Applied:
Verify commit 6c50e89 is applied and test with XXE payloads to confirm they are rejected📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- File access attempts from XML parser
- Large XML payloads with external entity references
Network Indicators:
- XML requests containing SYSTEM or PUBLIC declarations
- Outbound connections from application to unexpected external resources
SIEM Query:
source="application.log" AND ("DOCTYPE" OR "SYSTEM" OR "ENTITY") AND NOT "normal_xml_content"