XML External Entity Vulnerability in PHPSpreadsheet by PHPOffice
CVE-2024-45293

7.5HIGH

Key Information:

Vendor: PHPOffice
Status: PHPSpreadsheet
Vendor: CVE Published:; 7 October 2024

What is CVE-2024-45293?

The PHPSpreadsheet library, used for managing spreadsheet files in PHP, is susceptible to XML External Entity (XXE) injection due to an inadequate XML encoding check in its XLSX reader. This flaw arises when an attacker modifies the XML structure by strategically placing whitespace within the encoding attribute. If an application permits users to upload Excel spreadsheets, this vulnerability can be leveraged to disclose sensitive server files and information, as the security scanner fails to adequately validate the XML encoding. Users are strongly encouraged to upgrade to versions 1.29.1, 2.1.1, or 2.3.0 to mitigate this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advi...

EPSS Score

65% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 7, 2024

JSON

PHPOffice

What is CVE-2024-45293?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

References

EPSS Score

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.