CVE-2024-45060Cross-site Scripting in Phpspreadsheet

CWE-79Cross-site Scripting5 documents5 sources
Severity
6.1MEDIUMNVD
CNA7.1
EPSS
1.3%
top 20.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Phpoffice PhpspreadsheetPhpoffice Phpexcel
Timeline
PublishedOct 7
Latest updateOct 23

Description

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. One of the sample scripts in PhpSpreadsheet is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of input where a number is expected leading to formula injection. The code in in `45_Quadratic_equation_solver.php` concatenates the user supplied parameters directly into spreadsheet formulas. This allows an attacker to take control over the formula and output unsanitized data into the pa

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

CVEListV5phpoffice/phpspreadsheet< 1.29.2+2
NVDphpoffice/phpspreadsheet2.0.02.1.1+2
Packagistphpoffice/phpspreadsheet2.2.02.3.0+2
Packagistphpoffice/phpexcel1.8.2

🔴Vulnerability Details

3
CVEList
Unauthenticated Cross-Site-Scripting (XSS) in sample file in PHPSpreadsheet2024-10-07
GHSA
PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file2024-10-07
OSV
PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file2024-10-07

📋Vendor Advisories

1
Drupal
Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-0542024-10-23
CVE-2024-45060 — Cross-site Scripting in Phpspreadsheet | cvebase