Unauthorized Reflected Cross-Site Scripting in PhpSpreadsheet by PHPOffice
CVE-2024-56409

5.4MEDIUM

Key Information:

Vendor: PHPOffice
Status: PHPspreadsheet
Vendor: CVE Published:; 3 January 2025

Summary

The PhpSpreadsheet library, utilized for reading and writing spreadsheet files in PHP, has a vulnerability in the Currency.php file that permits unauthorized reflected cross-site scripting. An attacker can exploit this flaw when accessing the script located at /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php. The affected versions include those prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7. The issue has been addressed in the mentioned versions, providing a necessary update to mitigate potential cross-site scripting attacks.

References

https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80...

https://github.com/PHPOffice/PhpSpreadsheet/security/advi...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 3, 2025