GHSA-JMPX-686V-C3WX

Vulnerability from github – Published: 2025-01-03 17:06 – Updated: 2025-03-06 18:21
VLAI?
Summary
PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class
Details

Unauthorized Reflected XSS in the constructor of the Downloader class

Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) Description: using the /vendor/phpoffice/phpspreadsheet/samples/download.php script, an attacker can perform a XSS-type attack Impact: execution of arbitrary JavaScript code in the browser Vulnerable component: the constructor of the Downloader class Exploitation conditions: an unauthorized user Mitigation: sanitization of the name and type variables Researcher: Aleksey Solovev (Positive Technologies)

Research

The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in the constructor of the Downloader class) in Phpspreadsheet.

The latest version (3.6.0) of the phpoffice/phpspreadsheet library was installed. The installation was carried out with the inclusion of examples.

Listing 1. Installing the phpoffice/phpspreadsheet library

$ composer require phpoffice/phpspreadsheet --prefer-source

The ./vendor/phpoffice/phpspreadsheet/samples/download.php file processes the GET parameters name and type.

fig1

Figure 1. The ./vendor/phpoffice/phpspreadsheet/samples/download.php file accepts GET parameters.

Consider the constructor of the Downloader class, where GET parameters are passed. Error is displayed without sanitization using GET parameters transmitted from the user.

fig2

Figure 2. Error is displayed without sanitization

When clicking on the following link, arbitrary JavaScript code will be executed.

Listing 2.

https://192.***.***.***/vendor/phpoffice/phpspreadsheet/samples/download.php?name=%3Cimg%20src=1%20onerror=alert()%3E&type=1

Demonstration of the execution of arbitrary JavaScript code.

fig3

Figure 3. Executing arbitrary JavaScript code

Credit

This vulnerability was discovered by Aleksey Solovev (Positive Technologies)

Severity ?
7.1 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
8.3 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.29.6"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.29.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.5"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpexcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-56365"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-03T17:06:05Z",
    "nvd_published_at": "2025-01-03T17:15:08Z",
    "severity": "HIGH"
  },
  "details": "# Unauthorized Reflected XSS in the constructor of the `Downloader` class\n\n**Product**: Phpspreadsheet\n**Version**: version 3.6.0\n**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\n**CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)\n**CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L)\n**Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a XSS-type attack\n**Impact**: execution of arbitrary JavaScript code in the browser\n**Vulnerable component**: the constructor of the `Downloader` class\n**Exploitation conditions**: an unauthorized user\n**Mitigation**: sanitization of the `name` and `type` variables\n**Researcher**: Aleksey Solovev (Positive Technologies)\n\n# Research\n\nThe researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in the constructor of the `Downloader` class) in Phpspreadsheet.\n\nThe latest version (3.6.0) of the `phpoffice/phpspreadsheet` library was installed. The installation was carried out with the inclusion of examples.\n\n*Listing 1. Installing the `phpoffice/phpspreadsheet` library*\n```\n$ composer require phpoffice/phpspreadsheet --prefer-source\n```\n\nThe `./vendor/phpoffice/phpspreadsheet/samples/download.php` file processes the GET parameters `name` and `type`.\n\n![fig1](https://github.com/user-attachments/assets/78d5b3c7-e2ab-4487-98e2-a975f74a71c0)\n\n*Figure 1. The `./vendor/phpoffice/phpspreadsheet/samples/download.php` file accepts GET parameters.*\n\nConsider the constructor of the `Downloader` class, where GET parameters are passed. Error is displayed without sanitization using GET parameters transmitted from the user.\n\n![fig2](https://github.com/user-attachments/assets/00baf1f8-298c-4654-a3e4-b99cf8053eac)\n\n*Figure 2. Error is displayed without sanitization*\n\nWhen clicking on the following link, arbitrary JavaScript code will be executed.\n\n*Listing 2.*\n```\nhttps://192.***.***.***/vendor/phpoffice/phpspreadsheet/samples/download.php?name=%3Cimg%20src=1%20onerror=alert()%3E\u0026type=1\n```\n\nDemonstration of the execution of arbitrary JavaScript code.\n\n\u003cimg width=\"537\" alt=\"fig3\" src=\"https://github.com/user-attachments/assets/745d6e21-396f-4357-8ff8-e856adf15fee\" /\u003e\n\n*Figure 3. Executing arbitrary JavaScript code*\n\n\n# Credit\nThis vulnerability was discovered by **Aleksey Solovev (Positive Technologies)**",
  "id": "GHSA-jmpx-686v-c3wx",
  "modified": "2025-03-06T18:21:36Z",
  "published": "2025-01-03T17:06:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-jmpx-686v-c3wx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56365"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4#diff-fbb0f53a5c68eeeffaa9ab35552c0b01740396f1a4045af5d2935ec2a62a7816"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.