Headline
GHSA-r8w8-74ww-j4wh: PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks
Summary
\PhpOffice\PhpSpreadsheet\Writer\Html
does not sanitize “javascript:” URLs from hyperlink href
attributes, resulting in a Cross-Site Scripting vulnerability.
PoC
Example target script:
<?php
require 'vendor/autoload.php';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader->load(__DIR__ . '/book.xlsx');
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());
Save this file in the same directory: book.xlsx
Open index.php in a web browser and click on both links. The first demonstrates the vulnerability in a regular hyperlink and the second in a HYPERLINK() formula.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-45292
PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks
Moderate severity GitHub Reviewed Published Oct 7, 2024 in PHPOffice/PhpSpreadsheet • Updated Oct 7, 2024
Package
composer phpoffice/phpspreadsheet (Composer)
Affected versions
>= 2.2.0, < 2.3.0
< 1.29.2
>= 2.0.0, < 2.1.1
Patched versions
2.3.0
1.29.2
2.1.1
Summary
\PhpOffice\PhpSpreadsheet\Writer\Html does not sanitize “javascript:” URLs from hyperlink href attributes, resulting in a Cross-Site Scripting vulnerability.
PoC
Example target script:
<?php
require 'vendor/autoload.php';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader->load(__DIR__ . '/book.xlsx');
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());
Save this file in the same directory:
book.xlsx
Open index.php in a web browser and click on both links. The first demonstrates the vulnerability in a regular hyperlink and the second in a HYPERLINK() formula.
References
- GHSA-r8w8-74ww-j4wh
- PHPOffice/PhpSpreadsheet@392dd08
- PHPOffice/PhpSpreadsheet@8b9b378
- PHPOffice/PhpSpreadsheet@f0b70ed
Published to the GitHub Advisory Database
Oct 7, 2024