Unauthorized Reflected Cross-Site Scripting in PhpSpreadsheet Product by PHPOffice
CVE-2024-56366

5.4MEDIUM

Key Information:

Vendor: PHPOffice
Status: PHPspreadsheet
Vendor: CVE Published:; 3 January 2025

What is CVE-2024-56366?

PhpSpreadsheet is a widely used PHP library designed for generating and manipulating spreadsheet files. Recent findings indicate that versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are susceptible to unauthorized reflected cross-site scripting (XSS) due to a flaw in the ‘Accounting.php’ file. This vulnerability enables attackers to exploit the library through the sample script located at /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php, facilitating potential XSS attacks. Users are recommended to upgrade to the latest patched versions to mitigate the risk associated with this vulnerability.

References

https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80...

https://github.com/PHPOffice/PhpSpreadsheet/security/advi...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 3, 2025

JSON