CVE-2024-45048

HIGH

PHPSpreadsheet < 1.29.1 - XML External Entity Injection via Filter Bypass

Title source: llm

Description

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even if error reporting is muted. This vulnerability has been addressed in release version 2.2.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7

Patch x_refsource_misc

https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda

View Patch ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0057

EPSS Percentile 42.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-611

Status published

Products (3)

phpoffice/phpexcel 0Packagist

phpoffice/phpspreadsheet < 1.29.1

phpoffice/phpspreadsheet 0 - 1.29.1Packagist

Published Aug 28, 2024

Tracked Since Feb 18, 2026