CVE-2024-48917XML External Entity (XXE) Injection in Phpspreadsheet

CWE-611XML External Entity (XXE) Injection4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 61.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Phpoffice PhpspreadsheetPhpoffice Phpexcel
Timeline
PublishedNov 18

Description

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a scan method which should prevent XXE attacks. However, in a bypass of the previously reported `CVE-2024-47873`, the regexes from the `findCharSet` method, which is used for determining the current encoding can be bypassed by using a payload in the encoding UTF-7, and adding at end of the file a comment with the value `encoding="UTF-8"` with `"`, which is matched by the first regex, so that `en

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

CVEListV5phpoffice/phpspreadsheet< 1.29.4+3
NVDphpoffice/phpspreadsheet2.0.02.1.3+3
Packagistphpoffice/phpspreadsheet2.0.02.1.3+3
Packagistphpoffice/phpexcel1.8.2

🔴Vulnerability Details

3
GHSA
XXE in PHPSpreadsheet's XLSX reader2024-11-18
OSV
XXE in PHPSpreadsheet's XLSX reader2024-11-18
CVEList
XXE in PHPSpreadsheet's XLSX reader2024-11-18
CVE-2024-48917 — XML External Entity (XXE) Injection | cvebase