Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-r8w8-74ww-j4wh: PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks

Summary

\PhpOffice\PhpSpreadsheet\Writer\Html does not sanitize “javascript:” URLs from hyperlink href attributes, resulting in a Cross-Site Scripting vulnerability.

PoC

Example target script:

<?php

require 'vendor/autoload.php';

$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader->load(__DIR__ . '/book.xlsx');

$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());

Save this file in the same directory: book.xlsx

Open index.php in a web browser and click on both links. The first demonstrates the vulnerability in a regular hyperlink and the second in a HYPERLINK() formula.

ghsa
#xss#vulnerability#web#git#java#php#perl
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-45292

PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks

Moderate severity GitHub Reviewed Published Oct 7, 2024 in PHPOffice/PhpSpreadsheet • Updated Oct 7, 2024

Package

composer phpoffice/phpspreadsheet (Composer)

Affected versions

>= 2.2.0, < 2.3.0

< 1.29.2

>= 2.0.0, < 2.1.1

Patched versions

2.3.0

1.29.2

2.1.1

Summary

\PhpOffice\PhpSpreadsheet\Writer\Html does not sanitize “javascript:” URLs from hyperlink href attributes, resulting in a Cross-Site Scripting vulnerability.

PoC

Example target script:

<?php

require 'vendor/autoload.php';

$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader->load(__DIR__ . '/book.xlsx');

$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());

Save this file in the same directory:
book.xlsx

Open index.php in a web browser and click on both links. The first demonstrates the vulnerability in a regular hyperlink and the second in a HYPERLINK() formula.

References

  • GHSA-r8w8-74ww-j4wh
  • PHPOffice/PhpSpreadsheet@392dd08
  • PHPOffice/PhpSpreadsheet@8b9b378
  • PHPOffice/PhpSpreadsheet@f0b70ed

Published to the GitHub Advisory Database

Oct 7, 2024

ghsa: Latest News

GHSA-49cc-xrjf-9qf7: SFTPGo allows administrators to restrict command execution from the EventManager