cbcvebase.
CVE-2024-45046
published 2024-08-28

CVE-2024-45046: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize…

PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.40%
31.3th percentile
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker may used a crafted spreadsheet to fully takeover a session of a user viewing spreadsheet files as HTML. This issue has been addressed in release version 2.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

7 ranges
VendorProductVersion rangeFixed in
drupalloft_data_grids
phpofficephpexcel0 – 1.8.2
phpofficephpspreadsheet< 2.1.02.1.0
phpofficephpspreadsheet< 1.29.11.29.1
phpofficephpspreadsheet>= 0 < 1.29.11.29.1
phpofficephpspreadsheet>= 2.0.0 < 2.1.02.1.0
phpofficephpspreadsheet>= 2.0.0 < 2.1.02.1.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.