GHSA-hwcp-2h35-p66w

Suggest an improvement
Source
https://github.com/advisories/GHSA-hwcp-2h35-p66w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-hwcp-2h35-p66w/GHSA-hwcp-2h35-p66w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hwcp-2h35-p66w
Aliases
Published
2025-01-03T17:28:50Z
Modified
2025-01-03T19:28:23.328474Z
Severity
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header
Details

Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header

Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: the HTML page is formed without sanitizing the hyperlink base Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateHTMLHeader Exploitation conditions: a user viewing a specially generated Excel file Mitigation: additional sanitization of special characters in a string Researcher: Aleksey Solovev (Positive Technologies)

Research

The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header in Phpspreadsheet. The following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response.

Listing 8. Source code on the server

<?php

require __DIR__ . '/vendor/autoload.php';

$inputFileName = './doc/Book1.xlsx';
$spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName);
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());

An attacker can embed a payload in a file property that will result in the execution of arbitrary JavaScript code. The Excel file is unpacked and a HyperlinkBase in the file is inserted into the docProps/app.xml file.

fig14

Figure 14. Embedding the payload

After the changes were made, a new archive with the xlsx extension was created. At the moment of converting the xlsx file into the HTML representation, a property is obtained that participates in the formation of a string without sanitization.

fig15

Figure 15. Generating the HTML page header using the HyperlinkBase property

After generating and displaying the HTML representation of the XLSX file, arbitrary JavaScript code will be executed. <img width="356" alt="fig16" src="https://github.com/user-attachments/assets/c3694661-31e3-4be8-9a86-6eb4dd4647b5" />

Figure 16. Executing arbitrary JavaScript code

Credit

This vulnerability was discovered by Aleksey Solovev (Positive Technologies)

Database specific
{
    "nvd_published_at": "2025-01-03T18:15:16Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-03T17:28:50Z"
}
References

Affected packages

Packagist / phpoffice/phpspreadsheet

Package

Name
phpoffice/phpspreadsheet
Purl
pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.7.0

Affected versions

3.*

3.3.0
3.4.0
3.5.0
3.6.0

Packagist / phpoffice/phpspreadsheet

Package

Name
phpoffice/phpspreadsheet
Purl
pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.29.7

Affected versions

1.*

1.0.0-beta
1.0.0-beta2
1.0.0
1.1.0
1.2.0
1.2.1
1.3.0
1.3.1
1.4.0
1.4.1
1.5.0
1.5.1
1.5.2
1.6.0
1.7.0
1.8.0
1.8.1
1.8.2
1.9.0
1.10.0
1.10.1
1.11.0
1.12.0
1.13.0
1.14.0
1.14.1
1.15.0
1.16.0
1.17.0
1.17.1
1.18.0
1.19.0
1.20.0
1.21.0
1.22.0
1.23.0
1.24.0
1.24.1
1.25.0
1.25.1
1.25.2
1.26.0
1.27.0
1.27.1
1.28.0
1.29.0
1.29.1
1.29.2
1.29.4
1.29.5
1.29.6

Database specific

{
    "last_known_affected_version_range": "<= 1.29.6"
}

Packagist / phpoffice/phpspreadsheet

Package

Name
phpoffice/phpspreadsheet
Purl
pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.1.6

Affected versions

2.*

2.0.0
2.1.0
2.1.1
2.1.3
2.1.4
2.1.5

Database specific

{
    "last_known_affected_version_range": "<= 2.1.5"
}

Packagist / phpoffice/phpspreadsheet

Package

Name
phpoffice/phpspreadsheet
Purl
pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.3.5

Affected versions

2.*

2.2.0
2.2.1
2.2.2
2.3.0
2.3.2
2.3.3
2.3.4

Database specific

{
    "last_known_affected_version_range": "<= 2.3.4"
}