cbcvebase.
CVE-2024-45293
published 2024-10-07

CVE-2024-45293: PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader…

PriorityP355high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.86%
85.0th percentile
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. The security scan function in src/PhpSpreadsheet/Reader/Security/XmlScanner.php contains a flawed XML encoding check to retrieve the input file's XML encoding in the toUtf8 function. The function searches for the XML encoding through a defined regex which looks for `encoding="*"` and/or `encoding='*'`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the = in the attribute definition. Sensitive information disclosure through the XXE on sites that allow users to upload their own excel spreadsheets, and parse them using PHPSpreadsheet's Excel parser. This issue has been addressed in release versions 1.29.1, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

10 ranges
VendorProductVersion rangeFixed in
drupalloft_data_grids
phpofficephpexcel0 – 1.8.2
phpofficephpspreadsheet< 1.29.11.29.1
phpofficephpspreadsheet
phpofficephpspreadsheet
phpofficephpspreadsheet>= 0 < 1.29.11.29.1
phpofficephpspreadsheet>= 2.0.0 < 2.1.12.1.1
phpofficephpspreadsheet>= 2.0.0 < 2.1.12.1.1
phpofficephpspreadsheet>= 2.2.0 < 2.3.02.3.0
phpofficephpspreadsheet>= 2.2.0 < 2.3.02.3.0

Detection & IOCsextracted from sources · hover to see the quote

pathsrc/PhpSpreadsheet/Reader/Security/XmlScanner.php
  • XXE bypass via whitespace around '=' in XML encoding attribute: the regex for encoding="*" or encoding='*' fails to match when whitespace is inserted before/after the '=' sign, causing the parser to default to UTF-8 and skip UTF-7 conversion logic.
  • Detect XLSX uploads containing XML with encoding attribute using whitespace around '=' (e.g., encoding = "UTF-7" or encoding ='UTF-7') in the XML declaration — this is the bypass trigger for PHPSpreadsheet's XmlScanner.
  • Monitor for XLSX file uploads to WordPress sites running TablePress < 2.4.3; the crafted XLSX payload is delivered as a ZIP archive containing malicious XML with a UTF-7 encoded XXE payload.
  • The Nuclei template uses a hex-decoded binary XLSX payload (hh.php embedded) with max-request: 4 and flow: http(1) && http(2), indicating a two-stage exploit: upload then trigger/verify file read.
  • ·Fixed versions are 1.29.1, 2.1.1, and 2.3.0 for PHPSpreadsheet; TablePress 2.4.3 or later includes the fix. No known workarounds exist.
  • ·The Nuclei PoC template is tagged 'intrusive' and 'vuln', meaning active exploitation attempts are made against the target during scanning.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.