CVE-2024-45293
published 2024-10-07CVE-2024-45293: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader…
PriorityP355high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.86%
85.0th percentile
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. The security scan function in src/PhpSpreadsheet/Reader/Security/XmlScanner.php contains a flawed XML encoding check to retrieve the input file's XML encoding in the toUtf8 function. The function searches for the XML encoding through a defined regex which looks for `encoding="*"` and/or `encoding='*'`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the = in the attribute definition. Sensitive information disclosure through the XXE on sites that allow users to upload their own excel spreadsheets, and parse them using PHPSpreadsheet's Excel parser. This issue has been addressed in release versions 1.29.1, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| drupal | loft_data_grids | — | — |
| phpoffice | phpexcel | 0 – 1.8.2 | — |
| phpoffice | phpspreadsheet | < 1.29.1 | 1.29.1 |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | >= 0 < 1.29.1 | 1.29.1 |
| phpoffice | phpspreadsheet | >= 2.0.0 < 2.1.1 | 2.1.1 |
| phpoffice | phpspreadsheet | >= 2.0.0 < 2.1.1 | 2.1.1 |
| phpoffice | phpspreadsheet | >= 2.2.0 < 2.3.0 | 2.3.0 |
| phpoffice | phpspreadsheet | >= 2.2.0 < 2.3.0 | 2.3.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →XXE bypass via whitespace around '=' in XML encoding attribute: the regex for encoding="*" or encoding='*' fails to match when whitespace is inserted before/after the '=' sign, causing the parser to default to UTF-8 and skip UTF-7 conversion logic. ↗
- →Detect XLSX uploads containing XML with encoding attribute using whitespace around '=' (e.g., encoding = "UTF-7" or encoding ='UTF-7') in the XML declaration — this is the bypass trigger for PHPSpreadsheet's XmlScanner. ↗
- →Monitor for XLSX file uploads to WordPress sites running TablePress < 2.4.3; the crafted XLSX payload is delivered as a ZIP archive containing malicious XML with a UTF-7 encoded XXE payload. ↗
- →The Nuclei template uses a hex-decoded binary XLSX payload (hh.php embedded) with max-request: 4 and flow: http(1) && http(2), indicating a two-stage exploit: upload then trigger/verify file read.
- ·Fixed versions are 1.29.1, 2.1.1, and 2.3.0 for PHPSpreadsheet; TablePress 2.4.3 or later includes the fix. No known workarounds exist. ↗
- ·The Nuclei PoC template is tagged 'intrusive' and 'vuln', meaning active exploitation attempts are made against the target during scanning.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XXE in PHPSpreadsheet's XLSX reader
ghsa·2024-10-07
CVE-2024-45293 [HIGH] CWE-611 XXE in PHPSpreadsheet's XLSX reader
XXE in PHPSpreadsheet's XLSX reader
### Summary
The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet.
### Details
The security scan function in `src/PhpSpreadsheet/Reader/Security/XmlScanner.php` contains a flawed XML encoding check to retrieve the input file's XML encoding in the `toUtf8` function.
The function searches for the XML encoding through a defined regex which looks for `encoding="*"` and/or `encoding='*'`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic.
```
$patterns = [
'/encoding
OSV
XXE in PHPSpreadsheet's XLSX reader
osv·2024-10-07
CVE-2024-45293 [HIGH] XXE in PHPSpreadsheet's XLSX reader
XXE in PHPSpreadsheet's XLSX reader
### Summary
The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet.
### Details
The security scan function in `src/PhpSpreadsheet/Reader/Security/XmlScanner.php` contains a flawed XML encoding check to retrieve the input file's XML encoding in the `toUtf8` function.
The function searches for the XML encoding through a defined regex which looks for `encoding="*"` and/or `encoding='*'`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic.
```
$patterns = [
'/encoding
Drupal
Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-054
vendor_drupal·2024-10-23
CVE-2024-45048 [MEDIUM] Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-054
Title: Loft Data Grids - Moderately critical - Multiple vulnerabilities - SA-CONTRIB-2024-054
Vulnerability Type: Multiple vulnerabilities
Description: This module provides serialization formats for use by other modules. The module includes a version of phpoffice/phpspreadsheet which has multiple known security vulnerabilities.
Solution: If you use the Loft Data Grids module for Drupal 7.x, install one of: Loft Data Grids 7.x-2.7 - which removes support for the XLSX format, as the patched version requires PHP 8. Loft Data Grids 7.x-3.0 - which includes XLSX support, by requiring PHP 8 and Composer installation. See the module's README-file for more information.
No detection rules found.
Nuclei
TablePress < 2.4.3 - XXE Injection
nuclei·CVSS 7.5
CVE-2024-45293 [HIGH] TablePress < 2.4.3 - XXE Injection
TablePress < 2.4.3 - XXE Injection
The PHPSpreadsheet library used by the plugin is affected by an XXE as the security scanner that prevents XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files, and sensitive information can be disclosed by providing a crafted sheet.
Template:
id: CVE-2024-45293
info:
name: TablePress < 2.4.3 - XXE Injection
author: iamnoooob,ritikchaddha
severity: high
description: |
The PHPSpreadsheet library used by the plugin is affected by an XXE as the security scanner that prevents XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white spaces. On servers that allow users to u
No writeups or analysis indexed.
2024-10-07
Published