GHSA-jmpx-686v-c3wx

Source

https://github.com/advisories/GHSA-jmpx-686v-c3wx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-jmpx-686v-c3wx/GHSA-jmpx-686v-c3wx.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-jmpx-686v-c3wx

Aliases

CVE-2024-56365

Related

CVE-2024-56365

Published

2025-01-03T17:06:05Z

Modified

2025-01-03T19:25:23.090526Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS Calculator
8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L CVSS Calculator

Summary

PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class

Details

Unauthorized Reflected XSS in the constructor of the `Downloader` class

Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) Description: using the /vendor/phpoffice/phpspreadsheet/samples/download.php script, an attacker can perform a XSS-type attack Impact: execution of arbitrary JavaScript code in the browser Vulnerable component: the constructor of the Downloader class Exploitation conditions: an unauthorized user Mitigation: sanitization of the name and type variables Researcher: Aleksey Solovev (Positive Technologies)

Research

The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in the constructor of the Downloader class) in Phpspreadsheet.

The latest version (3.6.0) of the phpoffice/phpspreadsheet library was installed. The installation was carried out with the inclusion of examples.

Listing 1. Installing the phpoffice/phpspreadsheet library

$ composer require phpoffice/phpspreadsheet --prefer-source

The ./vendor/phpoffice/phpspreadsheet/samples/download.php file processes the GET parameters name and type.

fig1

Figure 1. The ./vendor/phpoffice/phpspreadsheet/samples/download.php file accepts GET parameters.

Consider the constructor of the Downloader class, where GET parameters are passed. Error is displayed without sanitization using GET parameters transmitted from the user.

fig2

Figure 2. Error is displayed without sanitization

When clicking on the following link, arbitrary JavaScript code will be executed.

Listing 2.

https://192.***.***.***/vendor/phpoffice/phpspreadsheet/samples/download.php?name=%3Cimg%20src=1%20onerror=alert()%3E&type=1

Demonstration of the execution of arbitrary JavaScript code.

Figure 3. Executing arbitrary JavaScript code

Credit

This vulnerability was discovered by Aleksey Solovev (Positive Technologies)

Database specific

{
    "nvd_published_at": "2025-01-03T17:15:08Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-03T17:06:05Z"
}

References

Affected packages

Packagist / phpoffice/phpspreadsheet

Package

Name: phpoffice/phpspreadsheet
Purl: pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.7.0

Affected versions

3.*

3.3.0

3.4.0

3.5.0

3.6.0

Packagist / phpoffice/phpspreadsheet

Package

Name: phpoffice/phpspreadsheet
Purl: pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.29.7

Affected versions

1.*

1.0.0-beta

1.0.0-beta2

1.0.0

1.1.0

1.2.0

1.2.1

1.3.0

1.3.1

1.4.0

1.4.1

1.5.0

1.5.1

1.5.2

1.6.0

1.7.0

1.8.0

1.8.1

1.8.2

1.9.0

1.10.0

1.10.1

1.11.0

1.12.0

1.13.0

1.14.0

1.14.1

1.15.0

1.16.0

1.17.0

1.17.1

1.18.0

1.19.0

1.20.0

1.21.0

1.22.0

1.23.0

1.24.0

1.24.1

1.25.0

1.25.1

1.25.2

1.26.0

1.27.0

1.27.1

1.28.0

1.29.0

1.29.1

1.29.2

1.29.4

1.29.5

1.29.6

Database specific

{
    "last_known_affected_version_range": "<= 1.29.6"
}

Packagist / phpoffice/phpspreadsheet

Package

Name: phpoffice/phpspreadsheet
Purl: pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.1.6

Affected versions

2.*

2.0.0

2.1.0

2.1.1

2.1.3

2.1.4

2.1.5

Database specific

{
    "last_known_affected_version_range": "<= 2.1.5"
}

Packagist / phpoffice/phpspreadsheet

Package

Name: phpoffice/phpspreadsheet
Purl: pkg:composer/phpoffice/phpspreadsheet

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.3.5

Affected versions

2.*

2.2.0

2.2.1

2.2.2

2.3.0

2.3.2

2.3.3

2.3.4

Database specific

{
    "last_known_affected_version_range": "<= 2.3.4"
}

GHSA-jmpx-686v-c3wx

Unauthorized Reflected XSS in the constructor of the Downloader class

Research

Credit

Affected packages

Packagist / phpoffice/phpspreadsheet

Package

Affected ranges

Affected versions

3.*

Packagist / phpoffice/phpspreadsheet

Package

Affected ranges

Affected versions

1.*

Database specific

Packagist / phpoffice/phpspreadsheet

Package

Affected ranges

Affected versions

2.*

Database specific

Packagist / phpoffice/phpspreadsheet

Package

Affected ranges

Affected versions

2.*

Database specific

Unauthorized Reflected XSS in the constructor of the `Downloader` class