CVE-2024-47873 — XML External Entity (XXE) Injection in Phpspreadsheet

CWE-611 — XML External Entity (XXE) Injection5 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 61.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpoffice Phpspreadsheet Phpoffice Phpexcel

Timeline

PublishedNov 18

Description

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the `scan` method and the findCharSet method can be bypassed by using UCS-4 and encoding guessing. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5phpoffice/phpspreadsheet< 1.29.4+3

▶NVDphpoffice/phpspreadsheet2.0.0 — 2.1.3+3

▶Packagistphpoffice/phpspreadsheet2.0.0 — 2.1.3+3

▶Packagistphpoffice/phpexcel1.8.2

🔴Vulnerability Details

OSV

XmlScanner bypass leads to XXE↗2024-11-18

▶

CVEList

PhpSpreadsheet XmlScanner bypass leads to XXE↗2024-11-18

▶

GHSA

XmlScanner bypass leads to XXE↗2024-11-18

▶

GHSA

XXE in PHPSpreadsheet's XLSX reader↗2024-11-18

▶