CVE-2024-58335 is an XML External Entity (XXE) vulnerability classified under CWE-611, affecting the OpenXRechnungToolbox software developed by jcthiele. The vulnerability exists because the XML parser used in the visualization component (specifically in visualization/VisualizerImpl.java) does not have the disallow-doctype-decl feature enabled. This omission allows attackers to craft malicious XML input containing external entity references, which the parser processes. When exploited, this can lead to disclosure of confidential information from the system processing the XML, as external entities can be used to read local files or interact with internal systems. The vulnerability requires network access and low privileges (PR:L) but does not require user interaction (UI:N). The CVSS 3.1 base score is 5.0 (medium severity), reflecting limited impact on confidentiality, no impact on integrity or availability, and relatively straightforward exploitation conditions. No public exploits or active exploitation in the wild have been reported to date. The affected versions include OpenXRechnungToolbox versions up to 2024-10-05-3.0.0 before commit 6c50e89. The vulnerability is particularly relevant for organizations using this toolbox for electronic invoicing processes, as it could expose sensitive invoice or business data. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for interim mitigations such as disabling external entity processing or applying custom XML parser configurations.

For European organizations, especially those in countries with widespread adoption of electronic invoicing standards like Germany and Austria, this vulnerability poses a risk of confidential data leakage through maliciously crafted XML invoices or related documents. Since OpenXRechnungToolbox is used to process electronic invoices, attackers exploiting this XXE flaw could access sensitive financial or business information, potentially leading to privacy violations, regulatory non-compliance (e.g., GDPR), and reputational damage. The impact is primarily on confidentiality; integrity and availability are not affected. The vulnerability requires only low privileges and network access, which could allow insider threats or attackers who have gained limited access to escalate data exposure. Although no active exploitation is known, the presence of this vulnerability in a critical invoicing tool used in the European market warrants attention to prevent future attacks.

1. Immediately review and update XML parser configurations in OpenXRechnungToolbox to enable the disallow-doctype-decl feature or equivalent protections that prevent processing of external entities. 2. If a patch or updated version from the vendor becomes available, prioritize applying it promptly. 3. Implement network-level controls to restrict access to the invoicing system to trusted sources only, reducing exposure to remote attackers. 4. Conduct input validation and sanitization on all XML inputs to detect and block malicious payloads. 5. Monitor logs for unusual XML processing errors or unexpected external entity requests. 6. Consider deploying Web Application Firewalls (WAF) with rules to detect and block XXE attack patterns targeting the invoicing system. 7. Educate developers and system administrators about secure XML processing best practices to prevent similar vulnerabilities in the future. 8. If immediate patching is not possible, consider isolating the vulnerable component or running it with minimal privileges to limit potential data exposure.