CVE-2024-45046 – phpoffice/phpspreadsheet

Package

Manager: composer
Name: phpoffice/phpspreadsheet
Vulnerable Version: >=2.0.0 <2.1.0 || >=0 <1.29.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00112 pctl0.30341

Details

PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information ### Summary `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. ### PoC Example target script: ``` <?php require 'vendor/autoload.php'; $reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx"); $spreadsheet = $reader->load(__DIR__ . '/book.xlsx'); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll()); ``` Save this file in the same directory: [book.xlsx](https://github.com/PHPOffice/PhpSpreadsheet/files/15212797/book.xlsx) Open index.php in a web browser. An alert should be displayed. ### Impact Full takeover of the session of users viewing spreadsheet files as HTML.

Metadata

Created: 2024-08-29T17:56:56Z
Modified: 2025-03-06T18:09:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-wgmf-q9vr-vww6/GHSA-wgmf-q9vr-vww6.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-wgmf-q9vr-vww6
Finding: F008
Auto approve: 1