GHSA-Q9JV-MM3R-J47R

Vulnerability from github – Published: 2025-01-03 17:29 – Updated: 2025-03-06 18:16
VLAI?
Summary
PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters
Details

Bypass XSS sanitizer using the javascript protocol and special characters

Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateRow Exploitation conditions: a user viewing a specially generated Excel file Mitigation: additional sanitization of special characters in a string Researcher: Aleksey Solovev (Positive Technologies)

Research

The researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet.

The following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response.

Listing 6. Source code on the server

<?php

require __DIR__ . '/vendor/autoload.php';

$inputFileName = './doc/Book1.xlsx';
$spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName);
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());

An attacker can use special characters so that this library processes the javascript protocol with special characters and generates a HTML link. The Excel file is unpacked and a hyperlink in the file is inserted into the xl/worksheets/sheet1.xml file.

fig11

Figure 11. Using the javascript protocol with special characters

Some payloads help bypass the security system and carry out a XSS attack.

Listing 7. HTML form that demonstrates the exploitation of the XSS vulnerability

jav&#x09;ascript:alert()
jav&#x0D;ascript:alert()
jav&#x0A;ascript:alert()

It's clear that the javascript protocol with special characters is used.

fig12

Figure 12. Using the javascript protocol with special characters

Due to the special characters, the execution stream ends up on line 1543, and the link is built in HTML form with the javascript protocol.

fig13

Figure 13. Executing arbitrary JavaScript code

Credit

This vulnerability was discovered by Aleksey Solovev (Positive Technologies)

Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.29.6"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.29.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.5"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpexcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-56412"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-03T17:29:10Z",
    "nvd_published_at": "2025-01-03T18:15:16Z",
    "severity": "MODERATE"
  },
  "details": "# Bypass XSS sanitizer using the javascript protocol and special characters\n\n**Product**: Phpspreadsheet\n**Version**: version 3.6.0\n**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\n**CVSS vector v.3.1**: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)\n**CVSS vector v.4.0**: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)\n**Description**: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link\n**Impact**: executing arbitrary JavaScript code in the browser\n**Vulnerable component**: class `PhpOffice\\PhpSpreadsheet\\Writer\\Html`, method `generateRow`\n**Exploitation conditions**: a user viewing a specially generated Excel file\n**Mitigation**: additional sanitization of special characters in a string\n**Researcher**: Aleksey Solovev (Positive Technologies)\n\n# Research\n\nThe researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet.\n\nThe following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response.\n\n*Listing 6. Source code on the server*\n\n```\n\u003c?php\n\nrequire __DIR__ . \u0027/vendor/autoload.php\u0027;\n\n$inputFileName = \u0027./doc/Book1.xlsx\u0027;\n$spreadsheet = \\PhpOffice\\PhpSpreadsheet\\IOFactory::load($inputFileName);\n$writer = new \\PhpOffice\\PhpSpreadsheet\\Writer\\Html($spreadsheet);\nprint($writer-\u003egenerateHTMLAll());\n```\n\nAn attacker can use special characters so that this library processes the javascript protocol with special characters and generates a HTML link.\nThe Excel file is unpacked and a hyperlink in the file is inserted into the `xl/worksheets/sheet1.xml` file.\n\n![fig11](https://github.com/user-attachments/assets/b9d53f7a-6f36-4853-95f9-8aa22f81eccd)\n\n*Figure 11. Using the javascript protocol with special characters*\n\nSome payloads help bypass the security system and carry out a XSS attack.\n\n*Listing 7. HTML form that demonstrates the exploitation of the XSS vulnerability*\n\n```\njav\u0026#x09;ascript:alert()\njav\u0026#x0D;ascript:alert()\njav\u0026#x0A;ascript:alert()\n```\n\nIt\u0027s clear that the javascript protocol with special characters is used. \n\n![fig12](https://github.com/user-attachments/assets/7595e88b-9848-4251-845c-2c2d8032e479)\n\n*Figure 12. Using the javascript protocol with special characters*\n\nDue to the special characters, the execution stream ends up on line 1543, and the link is built in HTML form with the javascript protocol.\n\n\u003cimg width=\"373\" alt=\"fig13\" src=\"https://github.com/user-attachments/assets/3ca0c3c6-daa9-4502-ad9e-b803f308fd26\" /\u003e\n\n*Figure 13. Executing arbitrary JavaScript code*\n\n# Credit\nThis vulnerability was discovered by **Aleksey Solovev (Positive Technologies)**",
  "id": "GHSA-q9jv-mm3r-j47r",
  "modified": "2025-03-06T18:16:56Z",
  "published": "2025-01-03T17:29:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-q9jv-mm3r-j47r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56412"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.