CVE-2024-56408

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-56408

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56408.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-56408

Aliases

GHSA-x88g-h956-m5xg

Published

2025-01-03T16:05:22.944Z

Modified

2025-11-20T12:31:39.984716Z

Severity

8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L CVSS Calculator

Summary

PhpSpreadsheet allows unauthorized reflected XSS in `Convert-Online.php` file

Details

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file, which leads to the possibility of a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/phpoffice/phpspreadsheet

Affected ranges

Type

GIT

Repo

https://github.com/phpoffice/phpspreadsheet

Events

Introduced

Fixed

02c8625411dcb96e1f63d58c47460284e15b2e80

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.29.7"
        }
    ]
}

Type

GIT

Repo

https://github.com/phpoffice/phpspreadsheet

Events

Introduced

4a77798f835119754961a97714f135826a323caa

Fixed

04e8b6edc1bba1bbc8e1aef4111903d11e8323c1

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.1.6"
        }
    ]
}

Type

GIT

Repo

https://github.com/phpoffice/phpspreadsheet

Events

Introduced

b0993b7e4d9c860133365d115b176bc6e0f57022

Fixed

d836f2d7308a192441ccd1546545890b378af913

Database specific

{
    "versions": [
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.3.5"
        }
    ]
}

Affected versions

1.*

1.0.0

1.0.0-beta

1.0.0-beta2

1.1.0

1.10.0

1.10.1

1.11.0

1.12.0

1.13.0

1.14.0

1.14.1

1.15.0

1.16.0

1.17.0

1.17.1

1.18.0

1.19.0

1.2.0

1.2.1

1.20.0

1.21.0

1.22.0

1.23.0

1.24.0

1.24.1

1.25.0

1.25.1

1.25.2

1.27.0

1.28.0

1.29.0

1.29.1

1.29.2

1.29.4

1.29.5

1.29.6

1.3.0

1.3.1

1.4.0

1.4.1

1.5.0

1.5.1

1.5.2

1.6.0

1.7.0

1.8.0

1.8.1

1.8.2

1.9.0

2.*

2.0.0

2.1.0

2.1.1

2.1.3

2.1.4

2.1.5

2.2.0

2.2.1

2.2.2

2.3.0

2.3.2

2.3.3

2.3.4

Other

phpexcel-last-cherry-picked-commit

phpexcel-last-release-1.*

phpexcel-last-release-1.8.1