GHSA-r8w8-74ww-j4wh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r8w8-74ww-j4wh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-r8w8-74ww-j4wh/GHSA-r8w8-74ww-j4wh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r8w8-74ww-j4wh
- Aliases
-
- CVE-2024-45292
- Published
- 2024-10-07T15:58:25Z
- Modified
- 2024-10-07T22:33:59.770557Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks
- Details
-
Summary
\PhpOffice\PhpSpreadsheet\Writer\Htmldoes not sanitize "javascript:" URLs from hyperlinkhrefattributes, resulting in a Cross-Site Scripting vulnerability.PoC
Example target script:
<?php require 'vendor/autoload.php'; $reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx"); $spreadsheet = $reader->load(__DIR__ . '/book.xlsx'); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll());Save this file in the same directory: book.xlsx
Open index.php in a web browser and click on both links. The first demonstrates the vulnerability in a regular hyperlink and the second in a HYPERLINK() formula.
- Database specific
{ "nvd_published_at": "2024-10-07T20:15:05Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-10-07T15:58:25Z" }- References
-
- https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r8w8-74ww-j4wh
- https://nvd.nist.gov/vuln/detail/CVE-2024-45292
- https://github.com/PHPOffice/PhpSpreadsheet/commit/392dd08c5569b623060784e1333454d64df1f03d
- https://github.com/PHPOffice/PhpSpreadsheet/commit/8b9b378ecdc603234a34aab3b293d2cdc8e9210e
- https://github.com/PHPOffice/PhpSpreadsheet/commit/f0b70ed1086348904b27772b264e1605ba6c1d6d
- https://github.com/PHPOffice/PhpSpreadsheet
Affected packages
Packagist / phpoffice/phpspreadsheet
Package
- Name
- phpoffice/phpspreadsheet
- Purl
- pkg:composer/phpoffice/phpspreadsheet
Packagist / phpoffice/phpspreadsheet
Package
- Name
- phpoffice/phpspreadsheet
- Purl
- pkg:composer/phpoffice/phpspreadsheet
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.29.2
Affected versions
1.*
1.0.0-beta
1.0.0-beta2
1.0.0
1.1.0
1.2.0
1.2.1
1.3.0
1.3.1
1.4.0
1.4.1
1.5.0
1.5.1
1.5.2
1.6.0
1.7.0
1.8.0
1.8.1
1.8.2
1.9.0
1.10.0
1.10.1
1.11.0
1.12.0
1.13.0
1.14.0
1.14.1
1.15.0
1.16.0
1.17.0
1.17.1
1.18.0
1.19.0
1.20.0
1.21.0
1.22.0
1.23.0
1.24.0
1.24.1
1.25.0
1.25.1
1.25.2
1.26.0
1.27.0
1.27.1
1.28.0
1.29.0
1.29.1
Packagist / phpoffice/phpspreadsheet
Package
- Name
- phpoffice/phpspreadsheet
- Purl
- pkg:composer/phpoffice/phpspreadsheet