Reflected Cross-Site Scripting Vulnerability in PhpSpreadsheet by PhpOffice
CVE-2024-56365
5.4MEDIUM
What is CVE-2024-56365?
PhpSpreadsheet, a well-known PHP library for handling spreadsheet files, has a vulnerability that allows attackers to exploit reflected cross-site scripting. This issue arises in the constructor of the Downloader
class, specifically through the use of the download.php
script located at /vendor/phpoffice/phpspreadsheet/samples/download.php
. Attackers can execute cross-site scripting attacks on users by crafting malicious requests that manipulate the parameters of the script. To mitigate this risk, users are advised to upgrade to PhpSpreadsheet versions 3.7.0, 2.3.5, 2.1.6, or 1.29.7, which include the necessary patch.