Cross-Site Scripting Vulnerability in PhpSpreadsheet Library
CVE-2024-56410

5.4MEDIUM

Key Information:

Vendor: PHPOffice
Status: PHPspreadsheet
Vendor: CVE Published:; 3 January 2025

Summary

PhpSpreadsheet, a widely used PHP library for reading and writing spreadsheet files, is susceptible to a cross-site scripting (XSS) vulnerability present in versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7. This vulnerability arises from the failure to sanitize custom properties when generating HTML pages, potentially allowing an attacker to inject malicious scripts through unfiltered input. The issue has been addressed in subsequent patch releases. Developers utilizing affected versions are advised to upgrade to ensure the integrity and security of their applications.

References

https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f...

https://github.com/PHPOffice/PhpSpreadsheet/security/advi...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 3, 2025