Arbitrary JavaScript Injection in PhpSpreadsheet via Spreadsheet Styling Information
CVE-2024-45046

5.4MEDIUM

Key Information:

Vendor
PHPoffice
Status
PHPspreadsheet
Vendor
CVE Published:
28 August 2024

Summary

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions \PhpOffice\PhpSpreadsheet\Writer\Html doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker may used a crafted spreadsheet to fully takeover a session of a user viewing spreadsheet files as HTML. This issue has been addressed in release version 2.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Version(s)

PhpSpreadsheet < 2.1.0

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advi...
x_refsource_CONFIRM
https://github.com/PHPOffice/PhpSpreadsheet/pull/3957
x_refsource_MISC
https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf37...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

.