CVE-2024-56412Cross-site Scripting in Phpspreadsheet

CWE-79Cross-site Scripting4 documents4 sources
Severity
4.8MEDIUMNVD
EPSS
0.2%
top 54.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Phpoffice PhpspreadsheetPhpoffice Phpexcel
Timeline
PublishedJan 3

Description

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages4 packages

CVEListV5phpoffice/phpspreadsheet< 1.29.7+3
NVDphpoffice/phpspreadsheet2.0.02.1.6+3
Packagistphpoffice/phpspreadsheet3.0.03.7.0+3
Packagistphpoffice/phpexcel1.8.2

Patches

Patch: github.com

🔴Vulnerability Details

3
CVEList
PhpSpreadsheet vulnerable to bypass of the XSS sanitizer using the javascript protocol and special characters2025-01-03
GHSA
PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters2025-01-03
OSV
PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters2025-01-03
CVE-2024-56412 — Cross-site Scripting in Phpspreadsheet | cvebase