GHSA-wgmf-q9vr-vww6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wgmf-q9vr-vww6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-wgmf-q9vr-vww6/GHSA-wgmf-q9vr-vww6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wgmf-q9vr-vww6
- Aliases
- Published
- 2024-08-29T17:56:56Z
- Modified
- 2024-09-04T14:53:43.992129Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information
- Details
-
Summary
\PhpOffice\PhpSpreadsheet\Writer\Htmldoesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.PoC
Example target script:
<?php require 'vendor/autoload.php'; $reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx"); $spreadsheet = $reader->load(__DIR__ . '/book.xlsx'); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll());Save this file in the same directory: book.xlsx
Open index.php in a web browser. An alert should be displayed.
Impact
Full takeover of the session of users viewing spreadsheet files as HTML.
- Database specific
{ "nvd_published_at": "2024-08-28T21:15:06Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-08-29T17:56:56Z" }- References
-
- https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6
- https://nvd.nist.gov/vuln/detail/CVE-2024-45046
- https://github.com/PHPOffice/PhpSpreadsheet/pull/3957
- https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667
- https://github.com/PHPOffice/PhpSpreadsheet
Affected packages
Packagist / phpoffice/phpspreadsheet
Package
- Name
- phpoffice/phpspreadsheet
- Purl
- pkg:composer/phpoffice/phpspreadsheet
Packagist / phpoffice/phpspreadsheet
Package
- Name
- phpoffice/phpspreadsheet
- Purl
- pkg:composer/phpoffice/phpspreadsheet
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.29.1
Affected versions
1.*
1.0.0-beta
1.0.0-beta2
1.0.0
1.1.0
1.2.0
1.2.1
1.3.0
1.3.1
1.4.0
1.4.1
1.5.0
1.5.1
1.5.2
1.6.0
1.7.0
1.8.0
1.8.1
1.8.2
1.9.0
1.10.0
1.10.1
1.11.0
1.12.0
1.13.0
1.14.0
1.14.1
1.15.0
1.16.0
1.17.0
1.17.1
1.18.0
1.19.0
1.20.0
1.21.0
1.22.0
1.23.0
1.24.0
1.24.1
1.25.0
1.25.1
1.25.2
1.26.0
1.27.0
1.27.1
1.28.0
1.29.0