CVE-2024-47873
published 2024-11-18CVE-2024-47873: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.76%
50.6th percentile
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the `scan` method and the findCharSet method can be bypassed by using UCS-4 and encoding guessing. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpoffice | phpexcel | 0 – 1.8.2 | — |
| phpoffice | phpspreadsheet | < 1.29.4 | 1.29.4 |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | >= 0 < 1.29.4 | 1.29.4 |
| phpoffice | phpspreadsheet | >= 2.0.0 < 2.1.3 | 2.1.3 |
| phpoffice | phpspreadsheet | >= 2.0.0 < 2.1.3 | 2.1.3 |
| phpoffice | phpspreadsheet | >= 2.2.0 < 2.3.2 | 2.3.2 |
| phpoffice | phpspreadsheet | >= 2.2.0 < 2.3.2 | 2.3.2 |
| phpoffice | phpspreadsheet | >= 3.3.0 < 3.4.0 | 3.4.0 |
| phpoffice | phpspreadsheet | >= 3.3.0 < 3.4.0 | 3.4.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XmlScanner bypass leads to XXE
osv·2024-11-18
CVE-2024-47873 [HIGH] XmlScanner bypass leads to XXE
XmlScanner bypass leads to XXE
### Summary
The [XmlScanner class](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php) has a [scan](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php#L72) method which should prevent XXE attacks.
However, the regexes used in the `scan` method and the [findCharSet](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php#L51) method can be bypassed by using UCS-4 and encoding guessing as described in .
### Details
The `scan` method converts the input in the UTF-8 encoding if it is not already in the
GHSA
XXE in PHPSpreadsheet's XLSX reader
ghsa·2024-11-18·CVSS 7.5
CVE-2024-48917 [HIGH] CWE-611 XXE in PHPSpreadsheet's XLSX reader
XXE in PHPSpreadsheet's XLSX reader
### Summary
The [XmlScanner class](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php) has a [scan](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php#L72) method which should prevent XXE attacks.
However, we found another bypass than the previously reported `CVE-2024-47873`, the regexes from the [findCharSet](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php#L51) method, which is used for determining the current encoding can be bypassed by using a payload in the encoding UTF-7, and addin
OSV
XXE in PHPSpreadsheet's XLSX reader
osv·2024-11-18·CVSS 7.5
CVE-2024-48917 [HIGH] XXE in PHPSpreadsheet's XLSX reader
XXE in PHPSpreadsheet's XLSX reader
### Summary
The [XmlScanner class](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php) has a [scan](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php#L72) method which should prevent XXE attacks.
However, we found another bypass than the previously reported `CVE-2024-47873`, the regexes from the [findCharSet](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php#L51) method, which is used for determining the current encoding can be bypassed by using a payload in the encoding UTF-7, and addin
GHSA
XmlScanner bypass leads to XXE
ghsa·2024-11-18
CVE-2024-47873 [HIGH] CWE-611 XmlScanner bypass leads to XXE
XmlScanner bypass leads to XXE
### Summary
The [XmlScanner class](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php) has a [scan](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php#L72) method which should prevent XXE attacks.
However, the regexes used in the `scan` method and the [findCharSet](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php#L51) method can be bypassed by using UCS-4 and encoding guessing as described in .
### Details
The `scan` method converts the input in the UTF-8 encoding if it is not already in the
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.phphttps://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-jw4x-v69f-hh5whttps://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processinghttps://www.w3.org/TR/xml/#sec-guessing-no-ext-info
2024-11-18
Published