Cross-Site Scripting Vulnerability in PhpSpreadsheet by PHPOffice
CVE-2024-56412

5.4MEDIUM

Key Information:

Vendor: PHPOffice
Status: PHPspreadsheet
Vendor: CVE Published:; 3 January 2025

Summary

The PhpSpreadsheet library, a widely-used PHP tool for managing spreadsheet files, has a vulnerability that allows bypassing the cross-site scripting (XSS) sanitizer. This vulnerability affects versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7, enabling attackers to manipulate special characters and the javascript protocol to craft malicious HTML links. The affected versions fail to adequately sanitize certain inputs, which could lead users to unknowingly execute harmful scripts. Updated versions contain necessary patches to close this security gap.

References

https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f...

https://github.com/PHPOffice/PhpSpreadsheet/security/advi...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 3, 2025