Images Embedding Vulnerability in PHPSpreadsheet
CVE-2024-45291

8.8HIGH

Key Information:

Vendor: PHPoffice
Status: PHPspreadsheet
Vendor: CVE Published:; 7 October 2024

Summary

PHPSpreadsheet, a well-known PHP library for handling spreadsheet files, has a security flaw that allows attackers to exploit the image embedding feature. When the HTML writer's embedding of images is enabled, attackers can create corrupted XLSX files linking images from arbitrary server paths. This process results in the inclusion of files as 'data:' URLs in the output. The vulnerability also permits attackers to execute arbitrary HTTP GET requests by embedding URLs, thus risking the exposure of sensitive files on the server. Notably, PHP protocol wrappers can be utilized in this attack vector, potentially leading to remote code execution if certain wrappers, like 'expect://', are enabled. Upgrading to newer releases, specifically versions 1.29.2, 2.1.1, and 2.3.0, is essential as there are no workarounds available for this vulnerability.

Affected Version(s)

PhpSpreadsheet < 1.29.2 < 1.29.2

PhpSpreadsheet >= 2.0.0, < 2.1.1 < 2.0.0, 2.1.1

PhpSpreadsheet >= 2.2.0, < 2.3.0 < 2.2.0, 2.3.0

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advi...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 7, 2024