GHSA-WV23-996V-Q229
Vulnerability from github – Published: 2025-01-03 17:25 – Updated: 2025-03-06 18:18Cross-Site Scripting (XSS) vulnerability in custom properties
Product: Phpspreadsheet
Version: version 3.6.0
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)
Description: the HTML page is generated without clearing custom properties
Impact: executing arbitrary JavaScript code in the browser
Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateMeta
Exploitation conditions: a user viewing a specially generated Excel file
Mitigation: additional sanitization of special characters in a string
Researcher: Aleksey Solovev (Positive Technologies)
Research
The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in custom properties in Phpspreadsheet. The following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response.
Listing 9. Source code on the server
<?php
require __DIR__ . '/vendor/autoload.php';
$inputFileName = './doc/Book1.xlsx';
$spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName);
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());
An attacker can embed a payload in a file property that will result in the execution of arbitrary JavaScript code.
The Excel file is unpacked and a custom property in the file is inserted into the docProps/custom.xml file.
Figure 17. Embedding the payload
After making the changes, a new archive with the xlsx extension was created. At the moment of converting the xlsx file into an HTML representation, a property is obtained that participates in the formation of a string without sanitization.
Figure 18. Getting a custom property
When calling the static generateMeta method, you can see that the key of the custom property is displayed without sanitization.
Figure 19. Getting a custom property
As a result, when viewing the excel file as the HTML representation, arbitrary JavaScript code will be executed.
Figure 20. Executing arbitrary JavaScript code
Credit
This vulnerability was discovered by Aleksey Solovev (Positive Technologies)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.7.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.29.6"
},
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.29.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.1.5"
},
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.3.4"
},
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpspreadsheet"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.3.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "phpoffice/phpexcel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.8.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-56410"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-03T17:25:45Z",
"nvd_published_at": "2025-01-03T18:15:15Z",
"severity": "MODERATE"
},
"details": "# Cross-Site Scripting (XSS) vulnerability in custom properties\n\n**Product**: Phpspreadsheet\n**Version**: version 3.6.0\n**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\n**CVSS vector v.3.1**: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)\n**CVSS vector v.4.0**: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)\n**Description**: the HTML page is generated without clearing custom properties\n**Impact**: executing arbitrary JavaScript code in the browser\n**Vulnerable component**: class `PhpOffice\\PhpSpreadsheet\\Writer\\Html`, method `generateMeta`\n**Exploitation conditions**: a user viewing a specially generated Excel file\n**Mitigation**: additional sanitization of special characters in a string\n**Researcher**: Aleksey Solovev (Positive Technologies)\n\n# Research\n\nThe researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in custom properties in Phpspreadsheet.\nThe following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response.\n\n*Listing 9. Source code on the server*\n\n```\n\u003c?php\n\nrequire __DIR__ . \u0027/vendor/autoload.php\u0027;\n\n$inputFileName = \u0027./doc/Book1.xlsx\u0027;\n$spreadsheet = \\PhpOffice\\PhpSpreadsheet\\IOFactory::load($inputFileName);\n$writer = new \\PhpOffice\\PhpSpreadsheet\\Writer\\Html($spreadsheet);\nprint($writer-\u003egenerateHTMLAll());\n```\n\nAn attacker can embed a payload in a file property that will result in the execution of arbitrary JavaScript code.\nThe Excel file is unpacked and a custom property in the file is inserted into the `docProps/custom.xml` file.\n\n\n\n*Figure 17. Embedding the payload*\n\nAfter making the changes, a new archive with the xlsx extension was created. At the moment of converting the xlsx file into an HTML representation, a property is obtained that participates in the formation of a string without sanitization.\n\n\n\n*Figure 18. Getting a custom property*\n\nWhen calling the static `generateMeta` method, you can see that the key of the custom property is displayed without sanitization.\n\n\n\n*Figure 19. Getting a custom property*\n\nAs a result, when viewing the excel file as the HTML representation, arbitrary JavaScript code will be executed.\n\n\u003cimg width=\"356\" alt=\"fig20\" src=\"https://github.com/user-attachments/assets/a6ed21e3-685c-415c-b2dc-453bc0652bef\" /\u003e\n\n*Figure 20. Executing arbitrary JavaScript code*\n\n# Credit\nThis vulnerability was discovered by **Aleksey Solovev (Positive Technologies)**",
"id": "GHSA-wv23-996v-q229",
"modified": "2025-03-06T18:18:12Z",
"published": "2025-01-03T17:25:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wv23-996v-q229"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56410"
},
{
"type": "WEB",
"url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e"
},
{
"type": "PACKAGE",
"url": "https://github.com/PHPOffice/PhpSpreadsheet"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.