Fluid Attacks Database

Description

PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks

Summary

\PhpOffice\PhpSpreadsheet\Writer\Html does not sanitize "javascript:" URLs from hyperlink href attributes, resulting in a Cross-Site Scripting vulnerability.

PoC

Example target script:

<?php

require 'vendor/autoload.php';

$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader->load(__DIR__ . '/book.xlsx');

$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);...

Save this file in the same directory: book.xlsx

Open index.php in a web browser and click on both links. The first demonstrates the vulnerability in a regular hyperlink and the second in a HYPERLINK() formula.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	phpoffice/phpspreadsheet	>=2.2.0 <2.3.0 \|\| >=0 <1.29.2 \|\| >=2.0.0 <2.1.1	2.3.0, 1.29.2, 2.1.1
packagist	phpoffice/phpexcel	>=0 <=1.8.2	-

Aliases

1. CVE-2024-452922. NVD-2024-452923. OSV-2024-452924. GHSA-r8w8-74ww-j4wh5. GCVE-2024-45292

References

1. https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r8w8-74ww-j4wh2. https://github.com/PHPOffice/PhpSpreadsheet/commit/392dd08c5569b623060784e1333454d64df1f03d3. https://github.com/PHPOffice/PhpSpreadsheet/commit/8b9b378ecdc603234a34aab3b293d2cdc8e9210e4. https://github.com/PHPOffice/PhpSpreadsheet/commit/f0b70ed1086348904b27772b264e1605ba6c1d6d

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.