Fluid Attacks Database

Description

PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information

Summary

\PhpOffice\PhpSpreadsheet\Writer\Html doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.

PoC

Example target script:

<?php

require 'vendor/autoload.php';

$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader->load(__DIR__ . '/book.xlsx');

$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);...

Save this file in the same directory: book.xlsx

Open index.php in a web browser. An alert should be displayed.

Impact

Full takeover of the session of users viewing spreadsheet files as HTML.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	phpoffice/phpspreadsheet	>=2.0.0 <2.1.0 \|\| >=0 <1.29.1	2.1.0, 1.29.1
packagist	phpoffice/phpexcel	>=0 <=1.8.2	-

Aliases

1. CVE-2024-450462. NVD-2024-450463. OSV-2024-450464. GHSA-wgmf-q9vr-vww65. GCVE-2024-45046

References

1. https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww62. https://github.com/PHPOffice/PhpSpreadsheet/pull/39573. https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.