Cross-Site Scripting Vulnerability in PhpSpreadsheet Library by PHPOffice
CVE-2024-56408

5.4MEDIUM

Key Information:

Vendor: PHPOffice
Status: PHPspreadsheet
Vendor: CVE Published:; 3 January 2025

Summary

A vulnerability exists within the PhpSpreadsheet PHP library due to improper sanitization present in the '/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php' file, allowing the potential for cross-site scripting (XSS) attacks. Users utilizing PhpSpreadsheet versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are susceptible unless they update to the patched versions that effectively address this security flaw.

References

https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80...

https://github.com/PHPOffice/PhpSpreadsheet/security/advi...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 3, 2025