CVE-2024-45060

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-45060
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45060.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-45060
Aliases
Published
2024-10-07T20:15:35.087Z
Modified
2026-03-01T02:48:07.343386Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS Calculator
Summary
Unauthenticated Cross-Site-Scripting (XSS) in sample file in PHPSpreadsheet
Details

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. One of the sample scripts in PhpSpreadsheet is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of input where a number is expected leading to formula injection. The code in in 45_Quadratic_equation_solver.php concatenates the user supplied parameters directly into spreadsheet formulas. This allows an attacker to take control over the formula and output unsanitized data into the page, resulting in JavaScript execution. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45060.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/phpoffice/phpspreadsheet

Affected ranges

Type
GIT
Repo
https://github.com/phpoffice/phpspreadsheet
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3a5a818d7d3e4b5bd2e56fb9de44dbded6eae07f
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.29.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/phpoffice/phpspreadsheet
Events
Introduced
4a77798f835119754961a97714f135826a323caa
Fixed
4e58d8ae1502d7f22af9e4cfeb2d645e243dec4e
Database specific 
{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.1.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/phpoffice/phpspreadsheet
Events
Introduced
b0993b7e4d9c860133365d115b176bc6e0f57022
Fixed
c972c146ddd5e8350ea839355b9bb0ce6a8fa33e
Database specific 
{
    "versions": [
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.3.0"
        }
    ]
}

Affected versions

1.*
1.0.0
1.0.0-beta
1.0.0-beta2
1.1.0
1.10.0
1.10.1
1.11.0
1.12.0
1.13.0
1.14.0
1.14.1
1.15.0
1.16.0
1.17.0
1.17.1
1.18.0
1.19.0
1.2.0
1.2.1
1.20.0
1.21.0
1.22.0
1.23.0
1.24.0
1.24.1
1.25.0
1.25.1
1.25.2
1.27.0
1.28.0
1.29.0
1.29.1
1.3.0
1.3.1
1.4.0
1.4.1
1.5.0
1.5.1
1.5.2
1.6.0
1.7.0
1.8.0
1.8.1
1.8.2
1.9.0
2.*
2.0.0
2.1.0
2.2.0
2.2.1
2.2.2
Other
phpexcel-last-cherry-picked-commit
phpexcel-last-release-1.*
phpexcel-last-release-1.8.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45060.json"