CVE-2024-45046
published 2024-08-28CVE-2024-45046: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.40%
31.3th percentile
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker may used a crafted spreadsheet to fully takeover a session of a user viewing spreadsheet files as HTML. This issue has been addressed in release version 2.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | loft_data_grids | — | — |
| phpoffice | phpexcel | 0 – 1.8.2 | — |
| phpoffice | phpspreadsheet | < 2.1.0 | 2.1.0 |
| phpoffice | phpspreadsheet | < 1.29.1 | 1.29.1 |
| phpoffice | phpspreadsheet | >= 0 < 1.29.1 | 1.29.1 |
| phpoffice | phpspreadsheet | >= 2.0.0 < 2.1.0 | 2.1.0 |
| phpoffice | phpspreadsheet | >= 2.0.0 < 2.1.0 | 2.1.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information
ghsa·2024-08-29
CVE-2024-45046 [MEDIUM] CWE-79 PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information
PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information
### Summary
`\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.
### PoC
Example target script:
```
load(__DIR__ . '/book.xlsx');
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());
```
Save this file in the same directory:
[book.xlsx](https://github.com/PHPOffice/PhpSpreadsheet/files/15212797/book.xlsx)
Open index.php in a web browser. An alert should be displayed.
### Impact
Full takeover of the session of users viewing spreadsheet files as HTML.
OSV
PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information
osv·2024-08-29
CVE-2024-45046 [MEDIUM] PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information
PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information
### Summary
`\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.
### PoC
Example target script:
```
load(__DIR__ . '/book.xlsx');
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());
```
Save this file in the same directory:
[book.xlsx](https://github.com/PHPOffice/PhpSpreadsheet/files/15212797/book.xlsx)
Open index.php in a web browser. An alert should be displayed.
### Impact
Full takeover of the session of users viewing spreadsheet files as HTML.
Drupal
Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-054
vendor_drupal·2024-10-23
CVE-2024-45048 [MEDIUM] Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-054
Title: Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-054
Vulnerability Type: Multiple vulnerabilities
Description: This module provides serialization formats for use by other modules. The module includes a version of phpoffice/phpspreadsheet which has multiple known security vulnerabilities.
Solution: If you use the Loft Data Grids module for Drupal 7.x, install one of: Loft Data Grids 7.x-2.7 - which removes support for the XLSX format, as the patched version requires PHP 8. Loft Data Grids 7.x-3.0 - which includes XLSX support, by requiring PHP 8 and Composer installation. See the module's README-file for more information.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-08-28
Published