CVE-2024-56365Cross-site Scripting in Phpspreadsheet

CWE-79Cross-site Scripting4 documents4 sources
Severity
8.3HIGHNVD
EPSS
0.7%
top 28.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Phpoffice PhpspreadsheetPhpoffice Phpexcel
Timeline
PublishedJan 3

Description

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the `Downloader` class. Using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L

Affected Packages4 packages

CVEListV5phpoffice/phpspreadsheet< 1.29.7+3
NVDphpoffice/phpspreadsheet2.0.02.1.6+3
Packagistphpoffice/phpspreadsheet3.0.03.7.0+3
Packagistphpoffice/phpexcel1.8.2

Patches

Patch: github.com

🔴Vulnerability Details

3
CVEList
PhpSpreadsheet vulnerable to unauthorized reflected XSS in the constructor of the Downloader class2025-01-03
GHSA
PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class2025-01-03
OSV
PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class2025-01-03
CVE-2024-56365 — Cross-site Scripting in Phpspreadsheet | cvebase