CVE-2024-45292 — Cross-site Scripting in Phpspreadsheet

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

1.1%

top 22.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpoffice Phpspreadsheet Phpoffice Phpexcel

Timeline

PublishedOct 7

Latest updateOct 23

Description

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\PhpOffice\PhpSpreadsheet\Writer\Html` does not sanitize "javascript:" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶CVEListV5phpoffice/phpspreadsheet< 1.29.2+2

▶NVDphpoffice/phpspreadsheet2.0.0 — 2.1.1+2

▶Packagistphpoffice/phpspreadsheet2.2.0 — 2.3.0+2

▶Packagistphpoffice/phpexcel1.8.2

🔴Vulnerability Details

GHSA

PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks↗2024-10-07

▶

CVEList

PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks↗2024-10-07

▶

OSV

PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks↗2024-10-07

▶

📋Vendor Advisories

Drupal

Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-054↗2024-10-23

▶