CVE-2024-45046Cross-site Scripting in Phpspreadsheet

CWE-79Cross-site Scripting5 documents5 sources
Severity
5.4MEDIUMNVD
EPSS
0.3%
top 43.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Phpoffice PhpspreadsheetPhpoffice Phpexcel
Timeline
PublishedAug 28
Latest updateOct 23

Description

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker may used a crafted spreadsheet to fully takeover a session of a user viewing spreadsheet files as HTML. This issue has been addressed in release version 2.1.0. All users are advised to upgrade. There a

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

CVEListV5phpoffice/phpspreadsheet< 2.1.0
NVDphpoffice/phpspreadsheet2.0.02.1.0+1
Packagistphpoffice/phpspreadsheet2.0.02.1.0+1
Packagistphpoffice/phpexcel1.8.2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information2024-08-29
OSV
PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information2024-08-29
CVEList
PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information2024-08-28

📋Vendor Advisories

1
Drupal
Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-0542024-10-23
CVE-2024-45046 — Cross-site Scripting in Phpspreadsheet | cvebase