CVE-2024-56408Cross-site Scripting in Phpspreadsheet

CWE-79Cross-site Scripting4 documents4 sources
Severity
8.3HIGHNVD
EPSS
1.0%
top 22.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Phpoffice PhpspreadsheetPhpoffice Phpexcel
Timeline
PublishedJan 3

Description

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L

Affected Packages4 packages

CVEListV5phpoffice/phpspreadsheet< 1.29.7+3
NVDphpoffice/phpspreadsheet2.0.02.1.6+3
Packagistphpoffice/phpspreadsheet3.0.03.7.0+3
Packagistphpoffice/phpexcel1.8.2

Patches

Patch: github.com

🔴Vulnerability Details

3
GHSA
PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file2025-01-03
CVEList
PhpSpreadsheet allows unauthorized reflected XSS in `Convert-Online.php` file2025-01-03
OSV
PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file2025-01-03
CVE-2024-56408 — Cross-site Scripting in Phpspreadsheet | cvebase