Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-79xx-vf93-p7cx: Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet

Summary

The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.

Details

When generating the HTML from an xlsx file containing multiple sheets, a navigation menu is created. This menu includes the sheet names, which are not sanitized. As a result, an attacker can exploit this vulnerability to execute JavaScript code.

        // Construct HTML
        $html = '';

        // Only if there are more than 1 sheets
        if (count($sheets) > 1) {
            // Loop all sheets
            $sheetId = 0;

            $html .= '<ul class="navigation">' . PHP_EOL;

            foreach ($sheets as $sheet) {
                $html .= '  <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . $sheet->getTitle() . '</a></li>' . PHP_EOL;
                ++$sheetId;
            }

            $html .= '</ul>' . PHP_EOL;
        }

PoC

  1. Create an XLSX file with multiple sheets : image

  2. Generate the HTML content

<?php
    require __DIR__ . '/vendor/autoload.php';

    $inputFileName = 'payload.xlsx';
    $spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName);
    $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
    $writer->writeAllSheets();
    echo $writer->generateHTMLAll();
?>
  1. Enjoy image

Impact

XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. Example of impacts :

  • Disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account (Only if HttpOnly cookie’s flag is set to false).
  • Redirecting the user to some other page or site (like phishing websites)
  • Modifying the content of the current page (add a fake login page that sends credentials to the attacker).
  • Automatically download malicious files.
  • Requests access to the victim geolocation / camera.
ghsa
Open in Source
#xss#vulnerability#web#git#java#php#zero_day
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-22131

Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet

Moderate severity GitHub Reviewed Published Jan 18, 2025 in PHPOffice/PhpSpreadsheet • Updated Jan 21, 2025

Package

composer phpoffice/phpspreadsheet (Composer)

Affected versions

>= 3.0.0, < 3.8.0

< 1.29.8

>= 2.0.0, < 2.1.7

>= 2.2.0, < 2.3.6

Patched versions

3.8.0

1.29.8

2.1.7

2.3.6

Summary

The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.

Details

When generating the HTML from an xlsx file containing multiple sheets, a navigation menu is created. This menu includes the sheet names, which are not sanitized. As a result, an attacker can exploit this vulnerability to execute JavaScript code.

    // Construct HTML
    $html = '';

    // Only if there are more than 1 sheets
    if (count($sheets) > 1) {
        // Loop all sheets
        $sheetId = 0;

        $html .= '<ul class="navigation">' . PHP\_EOL;

        foreach ($sheets as $sheet) {
            $html .= '  <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . $sheet\->getTitle() . '</a></li>' . PHP\_EOL;
            ++$sheetId;
        }

        $html .= '</ul>' . PHP\_EOL;
    }

PoC

  1. Create an XLSX file with multiple sheets :

  2. Generate the HTML content

<?php require __DIR__ . '/vendor/autoload.php’;

$inputFileName = 'payload.xlsx';
$spreadsheet = \\PhpOffice\\PhpSpreadsheet\\IOFactory::load($inputFileName);
$writer = new \\PhpOffice\\PhpSpreadsheet\\Writer\\Html($spreadsheet);
$writer\->writeAllSheets();
echo $writer\->generateHTMLAll();

?>

  1. Enjoy

Impact

XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise.
Example of impacts :

  • Disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account (Only if HttpOnly cookie’s flag is set to false).
  • Redirecting the user to some other page or site (like phishing websites)
  • Modifying the content of the current page (add a fake login page that sends credentials to the attacker).
  • Automatically download malicious files.
  • Requests access to the victim geolocation / camera.

References

  • GHSA-79xx-vf93-p7cx
  • https://nvd.nist.gov/vuln/detail/CVE-2025-22131
  • PHPOffice/PhpSpreadsheet@4088381

Published to the GitHub Advisory Database

Jan 21, 2025

Last updated

Jan 21, 2025

ghsa: Latest News

GHSA-6729-95v3-pjc2: HL7 FHIR IG Publisher potentially exposes GitHub repo user and credential information
ghsa