All the vulnerabilites related to PHPOffice - PhpSpreadsheet
cve-2024-45293
Vulnerability from cvelistv5
Published
2024-10-07 20:03
Modified
2024-10-07 20:25
Severity ?
EPSS score ?
Summary
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. The security scan function in src/PhpSpreadsheet/Reader/Security/XmlScanner.php contains a flawed XML encoding check to retrieve the input file's XML encoding in the toUtf8 function. The function searches for the XML encoding through a defined regex which looks for `encoding="*"` and/or `encoding='*'`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the = in the attribute definition. Sensitive information disclosure through the XXE on sites that allow users to upload their own excel spreadsheets, and parse them using PHPSpreadsheet's Excel parser. This issue has been addressed in release versions 1.29.1, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
▼ | URL | Tags |
---|---|---|
https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-6hwr-6v2f-3m88 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | PHPOffice | PhpSpreadsheet |
Version: >= 2.2.0, < 2.3.0 Version: < 1.29.1 Version: >= 2.0.0, < 2.1.1 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "phpspreadsheet", "vendor": "phpoffice", "versions": [ { "lessThan": "2.3.0", "status": "affected", "version": "2.2.0", "versionType": "custom" }, { "lessThan": "1.29.1", "status": "affected", "version": "0", "versionType": "custom" }, { "lessThan": "2.1.1", "status": "affected", "version": "2.0.0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-45293", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-07T20:23:44.790245Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-07T20:25:10.635Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "PhpSpreadsheet", "vendor": "PHPOffice", "versions": [ { "status": "affected", "version": "\u003e= 2.2.0, \u003c 2.3.0" }, { "status": "affected", "version": "\u003c 1.29.1" }, { "status": "affected", "version": "\u003e= 2.0.0, \u003c 2.1.1" } ] } ], "descriptions": [ { "lang": "en", "value": "PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. The security scan function in src/PhpSpreadsheet/Reader/Security/XmlScanner.php contains a flawed XML encoding check to retrieve the input file\u0027s XML encoding in the toUtf8 function. The function searches for the XML encoding through a defined regex which looks for `encoding=\"*\"` and/or `encoding=\u0027*\u0027`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the = in the attribute definition. Sensitive information disclosure through the XXE on sites that allow users to upload their own excel spreadsheets, and parse them using PHPSpreadsheet\u0027s Excel parser. This issue has been addressed in release versions 1.29.1, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-07T20:03:27.080Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-6hwr-6v2f-3m88", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-6hwr-6v2f-3m88" } ], "source": { "advisory": "GHSA-6hwr-6v2f-3m88", "discovery": "UNKNOWN" }, "title": "XML External Entity Reference (XXE) in PHPSpreadsheet\u0027s XLSX reader" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-45293", "datePublished": "2024-10-07T20:03:27.080Z", "dateReserved": "2024-08-26T18:25:35.442Z", "dateUpdated": "2024-10-07T20:25:10.635Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2019-12331
Vulnerability from cvelistv5
Published
2019-11-07 14:03
Modified
2024-08-04 23:17
Severity ?
EPSS score ?
Summary
PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ‚<!ENTITY‘ and thus allowing for an xml external entity processing (XXE) attack.
References
▼ | URL | Tags |
---|---|---|
https://github.com/PHPOffice/PhpSpreadsheet/blob/master/CHANGELOG.md#180---2019-07-01 | x_refsource_CONFIRM | |
https://herolab.usd.de/security-advisories/usd-2019-0046/ | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T23:17:39.846Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/blob/master/CHANGELOG.md#180---2019-07-01" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://herolab.usd.de/security-advisories/usd-2019-0046/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2019-07-01T00:00:00", "descriptions": [ { "lang": "en", "value": "PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string \u201a\u003c!ENTITY\u2018 and thus allowing for an xml external entity processing (XXE) attack." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2019-11-07T14:03:43", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/blob/master/CHANGELOG.md#180---2019-07-01" }, { "tags": [ "x_refsource_MISC" ], "url": "https://herolab.usd.de/security-advisories/usd-2019-0046/" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12331", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string \u201a\u003c!ENTITY\u2018 and thus allowing for an xml external entity processing (XXE) attack." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/PHPOffice/PhpSpreadsheet/blob/master/CHANGELOG.md#180---2019-07-01", "refsource": "CONFIRM", "url": "https://github.com/PHPOffice/PhpSpreadsheet/blob/master/CHANGELOG.md#180---2019-07-01" }, { "name": "https://herolab.usd.de/security-advisories/usd-2019-0046/", "refsource": "MISC", "url": "https://herolab.usd.de/security-advisories/usd-2019-0046/" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12331", "datePublished": "2019-11-07T14:03:43", "dateReserved": "2019-05-27T00:00:00", "dateUpdated": "2024-08-04T23:17:39.846Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-47873
Vulnerability from cvelistv5
Published
2024-11-18 17:03
Modified
2024-11-18 18:28
Severity ?
EPSS score ?
Summary
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the `scan` method and the findCharSet method can be bypassed by using UCS-4 and encoding guessing. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | PHPOffice | PhpSpreadsheet |
Version: < 1.29.4 Version: >= 2.0.0, < 2.1.3 Version: >= 2.2.0, < 2.3.2 Version: >= 3.3.0, < 3.4.0 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "phpspreadsheet", "vendor": "phpoffice", "versions": [ { "lessThan": "1.29.4", "status": "affected", "version": "0", "versionType": "custom" }, { "lessThan": "2.1.3", "status": "affected", "version": "2.0.0", "versionType": "custom" }, { "lessThan": "2.3.2", "status": "affected", "version": "2.2.0", "versionType": "custom" }, { "lessThan": "3.4.0", "status": "affected", "version": "3.3.0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-47873", "options": [ { "Exploitation": "poc" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-11-18T18:28:33.862619Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-11-18T18:28:36.292Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "PhpSpreadsheet", "vendor": "PHPOffice", "versions": [ { "status": "affected", "version": "\u003c 1.29.4" }, { "status": "affected", "version": "\u003e= 2.0.0, \u003c 2.1.3" }, { "status": "affected", "version": "\u003e= 2.2.0, \u003c 2.3.2" }, { "status": "affected", "version": "\u003e= 3.3.0, \u003c 3.4.0" } ] } ], "descriptions": [ { "lang": "en", "value": "PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the `scan` method and the findCharSet method can be bypassed by using UCS-4 and encoding guessing. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-18T17:03:00.366Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-jw4x-v69f-hh5w", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-jw4x-v69f-hh5w" }, { "name": "https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php" }, { "name": "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "tags": [ "x_refsource_MISC" ], "url": "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing" }, { "name": "https://www.w3.org/TR/xml/#sec-guessing-no-ext-info", "tags": [ "x_refsource_MISC" ], "url": "https://www.w3.org/TR/xml/#sec-guessing-no-ext-info" } ], "source": { "advisory": "GHSA-jw4x-v69f-hh5w", "discovery": "UNKNOWN" }, "title": "PhpSpreadsheet XmlScanner bypass leads to XXE" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-47873", "datePublished": "2024-11-18T17:03:00.366Z", "dateReserved": "2024-10-04T16:00:09.629Z", "dateUpdated": "2024-11-18T18:28:36.292Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2020-7776
Vulnerability from cvelistv5
Published
2020-12-09 16:45
Modified
2024-09-16 19:39
Severity ?
EPSS score ?
Summary
This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | n/a | phpoffice/phpspreadsheet |
Version: 0.0.0 < unspecified |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T09:41:01.607Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "phpoffice/phpspreadsheet", "vendor": "n/a", "versions": [ { "lessThan": "unspecified", "status": "affected", "version": "0.0.0", "versionType": "custom" } ] } ], "credits": [ { "lang": "en", "value": "Nikkolai Fernandez" } ], "datePublic": "2020-12-09T00:00:00", "descriptions": [ { "lang": "en", "value": "This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitCodeMaturity": "PROOF_OF_CONCEPT", "integrityImpact": "LOW", "privilegesRequired": "LOW", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 6.4, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "description": "Cross-site Scripting (XSS)", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2020-12-11T03:43:41", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792" } ], "title": "Cross-site Scripting (XSS)", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2020-12-09T16:40:08.254495Z", "ID": "CVE-2020-7776", "STATE": "PUBLIC", "TITLE": "Cross-site Scripting (XSS)" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "phpoffice/phpspreadsheet", "version": { "version_data": [ { "version_affected": "\u003e=", "version_value": "0.0.0" } ] } } ] }, "vendor_name": "n/a" } ] } }, "credit": [ { "lang": "eng", "value": "Nikkolai Fernandez" } ], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "Cross-site Scripting (XSS)" } ] } ] }, "references": { "reference_data": [ { "name": "https://snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856" }, { "name": "https://github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845", "refsource": "MISC", "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845" }, { "name": "https://github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792", "refsource": "MISC", "url": "https://github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792" } ] } } } }, "cveMetadata": { "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2020-7776", "datePublished": "2020-12-09T16:45:18.358373Z", "dateReserved": "2020-01-21T00:00:00", "dateUpdated": "2024-09-16T19:39:56.390Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-45046
Vulnerability from cvelistv5
Published
2024-08-28 20:41
Modified
2024-08-29 13:11
Severity ?
EPSS score ?
Summary
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker may used a crafted spreadsheet to fully takeover a session of a user viewing spreadsheet files as HTML. This issue has been addressed in release version 2.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
▼ | URL | Tags |
---|---|---|
https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6 | x_refsource_CONFIRM | |
https://github.com/PHPOffice/PhpSpreadsheet/pull/3957 | x_refsource_MISC | |
https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | PHPOffice | PhpSpreadsheet |
Version: < 2.1.0 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:phpspreadsheet_project:phpspreadsheet:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "phpspreadsheet", "vendor": "phpspreadsheet_project", "versions": [ { "lessThan": "2.1.0", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-45046", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-29T13:10:53.744014Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-29T13:11:25.969Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "PhpSpreadsheet", "vendor": "PHPOffice", "versions": [ { "status": "affected", "version": "\u003c 2.1.0" } ] } ], "descriptions": [ { "lang": "en", "value": "PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions `\\PhpOffice\\PhpSpreadsheet\\Writer\\Html` doesn\u0027t sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker may used a crafted spreadsheet to fully takeover a session of a user viewing spreadsheet files as HTML. This issue has been addressed in release version 2.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-08-28T20:41:23.628Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6" }, { "name": "https://github.com/PHPOffice/PhpSpreadsheet/pull/3957", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/pull/3957" }, { "name": "https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667" } ], "source": { "advisory": "GHSA-wgmf-q9vr-vww6", "discovery": "UNKNOWN" }, "title": "PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-45046", "datePublished": "2024-08-28T20:41:23.628Z", "dateReserved": "2024-08-21T17:53:51.331Z", "dateUpdated": "2024-08-29T13:11:25.969Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-45048
Vulnerability from cvelistv5
Published
2024-08-28 20:38
Modified
2024-08-29 13:10
Severity ?
EPSS score ?
Summary
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even if error reporting is muted. This vulnerability has been addressed in release version 2.2.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
▼ | URL | Tags |
---|---|---|
https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7 | x_refsource_CONFIRM | |
https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | PHPOffice | PhpSpreadsheet |
Version: < 2.2.1 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:phpspreadsheet_project:phpspreadsheet:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "phpspreadsheet", "vendor": "phpspreadsheet_project", "versions": [ { "lessThan": "2.2.1", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-45048", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2024-08-29T13:08:33.737650Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-29T13:10:20.156Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "PhpSpreadsheet", "vendor": "PHPOffice", "versions": [ { "status": "affected", "version": "\u003c 2.2.1" } ] } ], "descriptions": [ { "lang": "en", "value": "PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even if error reporting is muted. This vulnerability has been addressed in release version 2.2.1. All users are advised to upgrade. There are no known workarounds for this vulnerability." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-08-28T20:38:29.486Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7" }, { "name": "https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda" } ], "source": { "advisory": "GHSA-ghg6-32f9-2jp7", "discovery": "UNKNOWN" }, "title": "XML External Entity Reference (XXE) in PHPSpreadsheet" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-45048", "datePublished": "2024-08-28T20:38:29.486Z", "dateReserved": "2024-08-21T17:53:51.331Z", "dateUpdated": "2024-08-29T13:10:20.156Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-45060
Vulnerability from cvelistv5
Published
2024-10-07 20:15
Modified
2024-10-08 18:28
Severity ?
EPSS score ?
Summary
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. One of the sample scripts in PhpSpreadsheet is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of input where a number is expected leading to formula injection. The code in in `45_Quadratic_equation_solver.php` concatenates the user supplied parameters directly into spreadsheet formulas. This allows an attacker to take control over the formula and output unsanitized data into the page, resulting in JavaScript execution. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | PHPOffice | PhpSpreadsheet |
Version: < 1.29.2 Version: >= 2.0.0, < 2.1.1 Version: >= 2.2.0, < 2.3.0 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "phpspreadsheet", "vendor": "phpoffice", "versions": [ { "lessThan": "1.29.2", "status": "affected", "version": "0", "versionType": "custom" }, { "lessThan": "2.1.1", "status": "affected", "version": "2.0.0", "versionType": "custom" }, { "lessThan": "2.3.0", "status": "affected", "version": "2.2.0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-45060", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-08T18:27:07.349833Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-08T18:28:48.263Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "PhpSpreadsheet", "vendor": "PHPOffice", "versions": [ { "status": "affected", "version": "\u003c 1.29.2" }, { "status": "affected", "version": "\u003e= 2.0.0, \u003c 2.1.1" }, { "status": "affected", "version": "\u003e= 2.2.0, \u003c 2.3.0" } ] } ], "descriptions": [ { "lang": "en", "value": "PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. One of the sample scripts in PhpSpreadsheet is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of input where a number is expected leading to formula injection. The code in in `45_Quadratic_equation_solver.php` concatenates the user supplied parameters directly into spreadsheet formulas. This allows an attacker to take control over the formula and output unsanitized data into the page, resulting in JavaScript execution. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-07T20:15:35.087Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-v66g-p9x6-v98p", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-v66g-p9x6-v98p" }, { "name": "https://github.com/PHPOffice/PhpSpreadsheet/blob/d50b8b5de7e30439fb57eae7df9ea90e79fa0f2d/samples/Basic/45_Quadratic_equation_solver.php#L56", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/blob/d50b8b5de7e30439fb57eae7df9ea90e79fa0f2d/samples/Basic/45_Quadratic_equation_solver.php#L56" } ], "source": { "advisory": "GHSA-v66g-p9x6-v98p", "discovery": "UNKNOWN" }, "title": "Unauthenticated Cross-Site-Scripting (XSS) in sample file in PHPSpreadsheet" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-45060", "datePublished": "2024-10-07T20:15:35.087Z", "dateReserved": "2024-08-21T17:53:51.334Z", "dateUpdated": "2024-10-08T18:28:48.263Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-45290
Vulnerability from cvelistv5
Published
2024-10-07 20:12
Modified
2024-10-08 18:31
Severity ?
EPSS score ?
Summary
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided path is a URL. By using specially crafted `php://filter` URLs an attacker can leak the contents of any file or URL. Note that this vulnerability is different from GHSA-w9xv-qf98-ccq4, and resides in a different component. An attacker can access any file on the server, or leak information form arbitrary URLs, potentially exposing sensitive information such as AWS IAM credentials. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
▼ | URL | Tags |
---|---|---|
https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-5gpr-w2p5-6m37 | x_refsource_CONFIRM | |
https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | PHPOffice | PhpSpreadsheet |
Version: < 1.29.2 Version: >= 2.0.0, < 2.1.1 Version: >= 2.2.0, < 2.3.0 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "phpspreadsheet", "vendor": "phpoffice", "versions": [ { "lessThan": "1.29.2", "status": "affected", "version": "0", "versionType": "custom" }, { "lessThan": "2.1.1", "status": "affected", "version": "2.0.0", "versionType": "custom" }, { "lessThan": "2.3.0", "status": "affected", "version": "2.2.0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-45290", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-08T18:29:57.129855Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-08T18:31:06.318Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "PhpSpreadsheet", "vendor": "PHPOffice", "versions": [ { "status": "affected", "version": "\u003c 1.29.2" }, { "status": "affected", "version": "\u003e= 2.0.0, \u003c 2.1.1" }, { "status": "affected", "version": "\u003e= 2.2.0, \u003c 2.3.0" } ] } ], "descriptions": [ { "lang": "en", "value": "PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It\u0027s possible for an attacker to construct an XLSX file which links media from external URLs. When opening the XLSX file, PhpSpreadsheet retrieves the image size and type by reading the file contents, if the provided path is a URL. By using specially crafted `php://filter` URLs an attacker can leak the contents of any file or URL. Note that this vulnerability is different from GHSA-w9xv-qf98-ccq4, and resides in a different component. An attacker can access any file on the server, or leak information form arbitrary URLs, potentially exposing sensitive information such as AWS IAM credentials. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-36", "description": "CWE-36: Absolute Path Traversal", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-07T20:12:38.190Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-5gpr-w2p5-6m37", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-5gpr-w2p5-6m37" }, { "name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4" } ], "source": { "advisory": "GHSA-5gpr-w2p5-6m37", "discovery": "UNKNOWN" }, "title": "Path traversal and Server-Side Request Forgery when opening XLSX files in PHPSpreadsheet" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-45290", "datePublished": "2024-10-07T20:12:38.190Z", "dateReserved": "2024-08-26T18:25:35.442Z", "dateUpdated": "2024-10-08T18:31:06.318Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-45291
Vulnerability from cvelistv5
Published
2024-10-07 20:09
Modified
2024-10-08 18:32
Severity ?
EPSS score ?
Summary
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with `$writer->setEmbedImages(true);` those files will be included in the output as `data:` URLs, regardless of the file's type. Also URLs can be used for embedding, resulting in a Server-Side Request Forgery vulnerability. When embedding images has been enabled, an attacker can read arbitrary files on the server and perform arbitrary HTTP GET requests. Note that any PHP protocol wrappers can be used, meaning that if for example the `expect://` wrapper is enabled, also remote code execution is possible. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. there are no known workarounds for this vulnerability.
References
▼ | URL | Tags |
---|---|---|
https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4 | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | PHPOffice | PhpSpreadsheet |
Version: < 1.29.2 Version: >= 2.0.0, < 2.1.1 Version: >= 2.2.0, < 2.3.0 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "phpspreadsheet", "vendor": "phpoffice", "versions": [ { "lessThan": "1.29.2", "status": "affected", "version": "0", "versionType": "custom" }, { "lessThan": "2.1.1", "status": "affected", "version": "2.0.0", "versionType": "custom" }, { "lessThan": "2.3.0", "status": "affected", "version": "2.2.0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-45291", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-08T18:31:36.625928Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-08T18:32:25.328Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "PhpSpreadsheet", "vendor": "PHPOffice", "versions": [ { "status": "affected", "version": "\u003c 1.29.2" }, { "status": "affected", "version": "\u003e= 2.0.0, \u003c 2.1.1" }, { "status": "affected", "version": "\u003e= 2.2.0, \u003c 2.3.0" } ] } ], "descriptions": [ { "lang": "en", "value": "PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It\u0027s possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with `$writer-\u003esetEmbedImages(true);` those files will be included in the output as `data:` URLs, regardless of the file\u0027s type. Also URLs can be used for embedding, resulting in a Server-Side Request Forgery vulnerability. When embedding images has been enabled, an attacker can read arbitrary files on the server and perform arbitrary HTTP GET requests. Note that any PHP protocol wrappers can be used, meaning that if for example the `expect://` wrapper is enabled, also remote code execution is possible. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. there are no known workarounds for this vulnerability." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-36", "description": "CWE-36: Absolute Path Traversal", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-07T20:09:58.029Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-w9xv-qf98-ccq4" } ], "source": { "advisory": "GHSA-w9xv-qf98-ccq4", "discovery": "UNKNOWN" }, "title": "Path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled in PHPSpreadsheet" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-45291", "datePublished": "2024-10-07T20:09:58.029Z", "dateReserved": "2024-08-26T18:25:35.442Z", "dateUpdated": "2024-10-08T18:32:25.328Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2018-19277
Vulnerability from cvelistv5
Published
2018-11-14 11:00
Modified
2024-08-05 11:30
Severity ?
EPSS score ?
Summary
securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file
References
▼ | URL | Tags |
---|---|---|
https://github.com/PHPOffice/PhpSpreadsheet/issues/771 | x_refsource_MISC | |
https://www.bishopfox.com/news/2018/11/phpoffice-versions/ | x_refsource_MISC | |
https://github.com/MewesK/TwigSpreadsheetBundle/issues/18 | x_refsource_MISC | |
https://www.drupal.org/sa-contrib-2021-043 | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T11:30:04.281Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/issues/771" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.bishopfox.com/news/2018/11/phpoffice-versions/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/MewesK/TwigSpreadsheetBundle/issues/18" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.drupal.org/sa-contrib-2021-043" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2018-11-14T00:00:00", "descriptions": [ { "lang": "en", "value": "securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file" } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2021-10-13T18:06:09", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/issues/771" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.bishopfox.com/news/2018/11/phpoffice-versions/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/MewesK/TwigSpreadsheetBundle/issues/18" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.drupal.org/sa-contrib-2021-043" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-19277", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file" } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/PHPOffice/PhpSpreadsheet/issues/771", "refsource": "MISC", "url": "https://github.com/PHPOffice/PhpSpreadsheet/issues/771" }, { "name": "https://www.bishopfox.com/news/2018/11/phpoffice-versions/", "refsource": "MISC", "url": "https://www.bishopfox.com/news/2018/11/phpoffice-versions/" }, { "name": "https://github.com/MewesK/TwigSpreadsheetBundle/issues/18", "refsource": "MISC", "url": "https://github.com/MewesK/TwigSpreadsheetBundle/issues/18" }, { "name": "https://www.drupal.org/sa-contrib-2021-043", "refsource": "MISC", "url": "https://www.drupal.org/sa-contrib-2021-043" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-19277", "datePublished": "2018-11-14T11:00:00", "dateReserved": "2018-11-14T00:00:00", "dateUpdated": "2024-08-05T11:30:04.281Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-48917
Vulnerability from cvelistv5
Published
2024-11-18 19:48
Modified
2024-11-18 20:15
Severity ?
EPSS score ?
Summary
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a scan method which should prevent XXE attacks. However, in a bypass of the previously reported `CVE-2024-47873`, the regexes from the `findCharSet` method, which is used for determining the current encoding can be bypassed by using a payload in the encoding UTF-7, and adding at end of the file a comment with the value `encoding="UTF-8"` with `"`, which is matched by the first regex, so that `encoding='UTF-7'` with single quotes `'` in the XML header is not matched by the second regex. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | PHPOffice | PhpSpreadsheet |
Version: < 1.29.4 Version: >= 2.0.0, < 2.1.3 Version: >= 2.2.0, < 2.3.2 Version: >= 3.3.0, < 3.4.0 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:phpoffice:phpspreadsheet:-:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "phpspreadsheet", "vendor": "phpoffice", "versions": [ { "lessThan": "1.29.4", "status": "affected", "version": "0", "versionType": "custom" }, { "lessThan": "2.1.3", "status": "affected", "version": "2.0.0", "versionType": "custom" }, { "lessThan": "2.3.2", "status": "affected", "version": "2.2.0", "versionType": "custom" }, { "lessThan": "3.4.0", "status": "affected", "version": "3.3.0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-48917", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-11-18T20:14:30.431041Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-11-18T20:15:55.299Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "PhpSpreadsheet", "vendor": "PHPOffice", "versions": [ { "status": "affected", "version": "\u003c 1.29.4" }, { "status": "affected", "version": "\u003e= 2.0.0, \u003c 2.1.3" }, { "status": "affected", "version": "\u003e= 2.2.0, \u003c 2.3.2" }, { "status": "affected", "version": "\u003e= 3.3.0, \u003c 3.4.0" } ] } ], "descriptions": [ { "lang": "en", "value": "PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a scan method which should prevent XXE attacks. However, in a bypass of the previously reported `CVE-2024-47873`, the regexes from the `findCharSet` method, which is used for determining the current encoding can be bypassed by using a payload in the encoding UTF-7, and adding at end of the file a comment with the value `encoding=\"UTF-8\"` with `\"`, which is matched by the first regex, so that `encoding=\u0027UTF-7\u0027` with single quotes `\u0027` in the XML header is not matched by the second regex. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-11-18T19:48:42.656Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-7cc9-j4mv-vcjp", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-7cc9-j4mv-vcjp" }, { "name": "https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php" }, { "name": "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "tags": [ "x_refsource_MISC" ], "url": "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing" } ], "source": { "advisory": "GHSA-7cc9-j4mv-vcjp", "discovery": "UNKNOWN" }, "title": "XXE in PHPSpreadsheet\u0027s XLSX reader" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-48917", "datePublished": "2024-11-18T19:48:42.656Z", "dateReserved": "2024-10-09T22:06:46.172Z", "dateUpdated": "2024-11-18T20:15:55.299Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-45292
Vulnerability from cvelistv5
Published
2024-10-07 20:06
Modified
2024-10-07 20:26
Severity ?
EPSS score ?
Summary
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\PhpOffice\PhpSpreadsheet\Writer\Html` does not sanitize "javascript:" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
▼ | URL | Tags |
---|---|---|
https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r8w8-74ww-j4wh | x_refsource_CONFIRM |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | PHPOffice | PhpSpreadsheet |
Version: < 1.29.2 Version: >= 2.0.0, < 2.1.1 Version: >= 2.2.0, < 2.3.0 |
|
{ "containers": { "adp": [ { "affected": [ { "cpes": [ "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*" ], "defaultStatus": "unknown", "product": "phpspreadsheet", "vendor": "phpoffice", "versions": [ { "lessThan": "1.29.2", "status": "affected", "version": "0", "versionType": "custom" }, { "lessThan": "2.1.1", "status": "affected", "version": "2.0.0", "versionType": "custom" }, { "lessThan": "2.3.0", "status": "affected", "version": "2.2.0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-45292", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-10-07T20:25:34.226574Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-10-07T20:26:37.224Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "PhpSpreadsheet", "vendor": "PHPOffice", "versions": [ { "status": "affected", "version": "\u003c 1.29.2" }, { "status": "affected", "version": "\u003e= 2.0.0, \u003c 2.1.1" }, { "status": "affected", "version": "\u003e= 2.2.0, \u003c 2.3.0" } ] } ], "descriptions": [ { "lang": "en", "value": "PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\\PhpOffice\\PhpSpreadsheet\\Writer\\Html` does not sanitize \"javascript:\" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-07T20:06:13.595Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r8w8-74ww-j4wh", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r8w8-74ww-j4wh" } ], "source": { "advisory": "GHSA-r8w8-74ww-j4wh", "discovery": "UNKNOWN" }, "title": "PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-45292", "datePublished": "2024-10-07T20:06:13.595Z", "dateReserved": "2024-08-26T18:25:35.442Z", "dateUpdated": "2024-10-07T20:26:37.224Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }