Headline

GHSA-r8w8-74ww-j4wh: PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks

Summary

\PhpOffice\PhpSpreadsheet\Writer\Html does not sanitize “javascript:” URLs from hyperlink href attributes, resulting in a Cross-Site Scripting vulnerability.

PoC

Example target script:

<?php

require 'vendor/autoload.php';

$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader->load(__DIR__ . '/book.xlsx');

$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());

Save this file in the same directory: book.xlsx

Open index.php in a web browser and click on both links. The first demonstrates the vulnerability in a regular hyperlink and the second in a HYPERLINK() formula.

2 hours ago

ghsa

Open in Source

#xss #vulnerability #web #git #java #php #perl

GitHub Advisory Database
GitHub Reviewed
CVE-2024-45292

PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks

Moderate severity GitHub Reviewed Published Oct 7, 2024 in PHPOffice/PhpSpreadsheet • Updated Oct 7, 2024

Package

composer phpoffice/phpspreadsheet (Composer)

Affected versions

>= 2.2.0, < 2.3.0

< 1.29.2

>= 2.0.0, < 2.1.1

Patched versions

2.3.0

1.29.2

2.1.1

Summary

\PhpOffice\PhpSpreadsheet\Writer\Html does not sanitize “javascript:” URLs from hyperlink href attributes, resulting in a Cross-Site Scripting vulnerability.

PoC

Example target script:

<?php

require 'vendor/autoload.php';

$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader->load(__DIR__ . '/book.xlsx');

$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());

Save this file in the same directory:
book.xlsx

Open index.php in a web browser and click on both links. The first demonstrates the vulnerability in a regular hyperlink and the second in a HYPERLINK() formula.

References