Cross-Site Scripting Vulnerability in PhpSpreadsheet Library
CVE-2024-56410

5.4MEDIUM

Key Information:

Vendor: PHPOffice
Status: PHPspreadsheet
Vendor: CVE Published:; 3 January 2025

What is CVE-2024-56410?

PhpSpreadsheet, a widely used PHP library for reading and writing spreadsheet files, is susceptible to a cross-site scripting (XSS) vulnerability present in versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7. This vulnerability arises from the failure to sanitize custom properties when generating HTML pages, potentially allowing an attacker to inject malicious scripts through unfiltered input. The issue has been addressed in subsequent patch releases. Developers utilizing affected versions are advised to upgrade to ensure the integrity and security of their applications.

References

https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f...

https://github.com/PHPOffice/PhpSpreadsheet/security/advi...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 3, 2025

JSON