CVE-2024-45292

MEDIUM

PHPSpreadsheet <1.29.2, <2.1.1, <2.3.0 - XSS

Title source: llm
STIX 2.1

Description

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\PhpOffice\PhpSpreadsheet\Writer\Html` does not sanitize "javascript:" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

References (1)

Core 1
Core References

Scores

CVSS v3 5.4
EPSS 0.0032
EPSS Percentile 24.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (3)
phpoffice/phpexcel 0Packagist
phpoffice/phpspreadsheet < 1.29.2
phpoffice/phpspreadsheet 2.2.0 - 2.3.0Packagist
Published Oct 07, 2024
Tracked Since Feb 18, 2026