XML External Entity Vulnerability in PHPSpreadsheet by PHPOffice
CVE-2024-45293

7.5HIGH

Key Information:

Vendor: PHPOffice
Status: PHPSpreadsheet
Vendor: CVE Published:; 7 October 2024

Summary

The PHPSpreadsheet library, used for managing spreadsheet files in PHP, is susceptible to XML External Entity (XXE) injection due to an inadequate XML encoding check in its XLSX reader. This flaw arises when an attacker modifies the XML structure by strategically placing whitespace within the encoding attribute. If an application permits users to upload Excel spreadsheets, this vulnerability can be leveraged to disclose sensitive server files and information, as the security scanner fails to adequately validate the XML encoding. Users are strongly encouraged to upgrade to versions 1.29.1, 2.1.1, or 2.3.0 to mitigate this risk.

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advi...

EPSS Score

21% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 7, 2024