CVE-2024-45048

HIGH

PHPSpreadsheet <2.2.1 - XSS

Title source: llm

Description

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even if error reporting is muted. This vulnerability has been addressed in release version 2.2.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.

References (2)

[Exploit, Third Party Advisory] https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7

[Patch] https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda

View Patch ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0015

EPSS Percentile 35.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-611

Status published

Products (3)

phpoffice/phpexcel 0Packagist

phpoffice/phpspreadsheet < 1.29.1

phpoffice/phpspreadsheet 0 - 1.29.1Packagist

Published Aug 28, 2024

Tracked Since Feb 18, 2026