CVE-2024-56409
published 2025-01-03CVE-2024-56409: PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized…
PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.32%
23.6th percentile
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Currency.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpoffice | phpexcel | 0 – 1.8.2 | — |
| phpoffice | phpspreadsheet | < 1.29.7 | 1.29.7 |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | — | — |
| phpoffice | phpspreadsheet | >= 0 < 1.29.7 | 1.29.7 |
| phpoffice | phpspreadsheet | >= 2.0.0 < 2.1.6 | 2.1.6 |
| phpoffice | phpspreadsheet | >= 2.0.0 < 2.1.6 | 2.1.6 |
| phpoffice | phpspreadsheet | >= 2.2.0 < 2.3.5 | 2.3.5 |
| phpoffice | phpspreadsheet | >= 2.2.0 < 2.3.5 | 2.3.5 |
| phpoffice | phpspreadsheet | >= 3.0.0 < 3.7.0 | 3.7.0 |
| phpoffice | phpspreadsheet | >= 3.3.0 < 3.7.0 | 3.7.0 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv4.08.3HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file
osv·2025-01-03
CVE-2024-56409 [HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file
PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file
# Unauthorized Reflected XSS in `Currency.php` file
**Product**: Phpspreadsheet
**Version**: version 3.6.0
**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
**CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)
**CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L)
**Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` script, an attacker can perform XSS-type attack
**Impact**: executing arbitrary JavaScript code in the browser
**Vulnerable component**: the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` file
**Exploitation conditions**: an unauthor
GHSA
PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file
ghsa·2025-01-03
CVE-2024-56409 [HIGH] CWE-79 PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file
PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file
# Unauthorized Reflected XSS in `Currency.php` file
**Product**: Phpspreadsheet
**Version**: version 3.6.0
**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
**CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)
**CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L)
**Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` script, an attacker can perform XSS-type attack
**Impact**: executing arbitrary JavaScript code in the browser
**Vulnerable component**: the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` file
**Exploitation conditions**: an unauthor
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-01-03
Published