ghsa-jmpx-686v-c3wx
Vulnerability from github
Published
2025-01-03 17:06
Modified
2025-03-06 18:21
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
8.3 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L
Summary
PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class
Details

Unauthorized Reflected XSS in the constructor of the Downloader class

Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) Description: using the /vendor/phpoffice/phpspreadsheet/samples/download.php script, an attacker can perform a XSS-type attack Impact: execution of arbitrary JavaScript code in the browser Vulnerable component: the constructor of the Downloader class Exploitation conditions: an unauthorized user Mitigation: sanitization of the name and type variables Researcher: Aleksey Solovev (Positive Technologies)

Research

The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in the constructor of the Downloader class) in Phpspreadsheet.

The latest version (3.6.0) of the phpoffice/phpspreadsheet library was installed. The installation was carried out with the inclusion of examples.

Listing 1. Installing the phpoffice/phpspreadsheet library $ composer require phpoffice/phpspreadsheet --prefer-source

The ./vendor/phpoffice/phpspreadsheet/samples/download.php file processes the GET parameters name and type.

fig1

Figure 1. The ./vendor/phpoffice/phpspreadsheet/samples/download.php file accepts GET parameters.

Consider the constructor of the Downloader class, where GET parameters are passed. Error is displayed without sanitization using GET parameters transmitted from the user.

fig2

Figure 2. Error is displayed without sanitization

When clicking on the following link, arbitrary JavaScript code will be executed.

Listing 2. https://192.***.***.***/vendor/phpoffice/phpspreadsheet/samples/download.php?name=%3Cimg%20src=1%20onerror=alert()%3E&type=1

Demonstration of the execution of arbitrary JavaScript code.

fig3

Figure 3. Executing arbitrary JavaScript code

Credit

This vulnerability was discovered by Aleksey Solovev (Positive Technologies)

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.29.6"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.29.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.5"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpexcel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-56365"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-03T17:06:05Z",
    "nvd_published_at": "2025-01-03T17:15:08Z",
    "severity": "HIGH"
  },
  "details": "# Unauthorized Reflected XSS in the constructor of the `Downloader` class\n\n**Product**: Phpspreadsheet\n**Version**: version 3.6.0\n**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\n**CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)\n**CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L)\n**Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a XSS-type attack\n**Impact**: execution of arbitrary JavaScript code in the browser\n**Vulnerable component**: the constructor of the `Downloader` class\n**Exploitation conditions**: an unauthorized user\n**Mitigation**: sanitization of the `name` and `type` variables\n**Researcher**: Aleksey Solovev (Positive Technologies)\n\n# Research\n\nThe researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in the constructor of the `Downloader` class) in Phpspreadsheet.\n\nThe latest version (3.6.0) of the `phpoffice/phpspreadsheet` library was installed. The installation was carried out with the inclusion of examples.\n\n*Listing 1. Installing the `phpoffice/phpspreadsheet` library*\n```\n$ composer require phpoffice/phpspreadsheet --prefer-source\n```\n\nThe `./vendor/phpoffice/phpspreadsheet/samples/download.php` file processes the GET parameters `name` and `type`.\n\n![fig1](https://github.com/user-attachments/assets/78d5b3c7-e2ab-4487-98e2-a975f74a71c0)\n\n*Figure 1. The `./vendor/phpoffice/phpspreadsheet/samples/download.php` file accepts GET parameters.*\n\nConsider the constructor of the `Downloader` class, where GET parameters are passed. Error is displayed without sanitization using GET parameters transmitted from the user.\n\n![fig2](https://github.com/user-attachments/assets/00baf1f8-298c-4654-a3e4-b99cf8053eac)\n\n*Figure 2. Error is displayed without sanitization*\n\nWhen clicking on the following link, arbitrary JavaScript code will be executed.\n\n*Listing 2.*\n```\nhttps://192.***.***.***/vendor/phpoffice/phpspreadsheet/samples/download.php?name=%3Cimg%20src=1%20onerror=alert()%3E\u0026type=1\n```\n\nDemonstration of the execution of arbitrary JavaScript code.\n\n\u003cimg width=\"537\" alt=\"fig3\" src=\"https://github.com/user-attachments/assets/745d6e21-396f-4357-8ff8-e856adf15fee\" /\u003e\n\n*Figure 3. Executing arbitrary JavaScript code*\n\n\n# Credit\nThis vulnerability was discovered by **Aleksey Solovev (Positive Technologies)**",
  "id": "GHSA-jmpx-686v-c3wx",
  "modified": "2025-03-06T18:21:36Z",
  "published": "2025-01-03T17:06:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-jmpx-686v-c3wx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56365"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4#diff-fbb0f53a5c68eeeffaa9ab35552c0b01740396f1a4045af5d2935ec2a62a7816"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.