CVE-2024-45048XML External Entity (XXE) Injection in Phpspreadsheet

CWE-611XML External Entity (XXE) Injection7 documents5 sources
Severity
6.5MEDIUMNVD
CNA8.8
EPSS
0.2%
top 63.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Phpoffice PhpspreadsheetPimcore Admin-ui-classic-bundlePimcore Data-importer+2 more
Timeline
PublishedAug 28
Latest updateOct 23

Description

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even if error reporting is muted. This vulnerability has been addressed in release version 2.2.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages7 packages

CVEListV5phpoffice/phpspreadsheet< 2.2.1
NVDphpoffice/phpspreadsheet2.0.02.2.1+1
Packagistphpoffice/phpspreadsheet2.2.02.2.1+2
Packagistpimcore/pimcore10.6.9.010.6.9.12+1
Packagistpimcore/data-importer1.9.01.9.3+1

Patches

Patch: github.com

🔴Vulnerability Details

5
OSV
Pimcore includes vulnerable PHPOffice/PhpSpreadsheet2024-09-03
GHSA
Pimcore includes vulnerable PHPOffice/PhpSpreadsheet2024-09-03
OSV
XXE in PHPSpreadsheet encoding is returned2024-08-29
GHSA
XXE in PHPSpreadsheet encoding is returned2024-08-29
CVEList
XML External Entity Reference (XXE) in PHPSpreadsheet2024-08-28

📋Vendor Advisories

1
Drupal
Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-0542024-10-23
CVE-2024-45048 — XML External Entity (XXE) Injection | cvebase