CVE-2024-56408
published 2025-01-03CVE-2024-56408: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.39%
30.7th percentile
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpoffice | phpexcel | 0 – 1.8.2 | — |
| phpoffice | phpspreadsheet | < 1.29.7 | 1.29.7 |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | >= 0 < 1.29.7 | 1.29.7 |
| phpoffice | phpspreadsheet | >= 2.0.0 < 2.1.6 | 2.1.6 |
| phpoffice | phpspreadsheet | >= 2.0.0 < 2.1.6 | 2.1.6 |
| phpoffice | phpspreadsheet | >= 2.2.0 < 2.3.5 | 2.3.5 |
| phpoffice | phpspreadsheet | >= 2.2.0 < 2.3.5 | 2.3.5 |
| phpoffice | phpspreadsheet | >= 3.0.0 < 3.7.0 | 3.7.0 |
| phpoffice | phpspreadsheet | >= 3.3.0 < 3.7.0 | 3.7.0 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.08.3HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file
ghsa·2025-01-03
CVE-2024-56408 [HIGH] CWE-79 PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file
PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file
# Unauthorized Reflected XSS in `Convert-Online.php` file
**Product**: Phpspreadsheet
**Version**: version 3.6.0
**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
**CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)
**CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L)
**Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` script, an attacker can perform a XSS-type attack
**Impact**: executing arbitrary JavaScript code in the browser
**Vulnerable component**: the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file
**Exploitation conditions**: an
OSV
PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file
osv·2025-01-03
CVE-2024-56408 [HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file
PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file
# Unauthorized Reflected XSS in `Convert-Online.php` file
**Product**: Phpspreadsheet
**Version**: version 3.6.0
**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
**CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)
**CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L)
**Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` script, an attacker can perform a XSS-type attack
**Impact**: executing arbitrary JavaScript code in the browser
**Vulnerable component**: the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file
**Exploitation conditions**: an
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4https://github.com/PHPOffice/PhpSpreadsheet/commit/9b9a55c7154daa7cd4095f618933c240508ba3c1https://github.com/PHPOffice/PhpSpreadsheet/commit/a50ebfe118b3ae0ddaea1c48ac19dc38692f4abchttps://github.com/PHPOffice/PhpSpreadsheet/commit/b8fac55aa5cb7a3d514c7308378bb37bb711b25ehttps://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-x88g-h956-m5xghttps://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-x88g-h956-m5xg
2025-01-03
Published