XML External Entity Vulnerability in PHPSpreadsheet by PHPOffice
CVE-2024-45293
7.5HIGH
What is CVE-2024-45293?
The PHPSpreadsheet library, used for managing spreadsheet files in PHP, is susceptible to XML External Entity (XXE) injection due to an inadequate XML encoding check in its XLSX reader. This flaw arises when an attacker modifies the XML structure by strategically placing whitespace within the encoding attribute. If an application permits users to upload Excel spreadsheets, this vulnerability can be leveraged to disclose sensitive server files and information, as the security scanner fails to adequately validate the XML encoding. Users are strongly encouraged to upgrade to versions 1.29.1, 2.1.1, or 2.3.0 to mitigate this risk.