CVE-2024-48917

HIGH

Phpoffice Phpspreadsheet < 1.29.4 - XXE

Title source: rule

Description

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a scan method which should prevent XXE attacks. However, in a bypass of the previously reported `CVE-2024-47873`, the regexes from the `findCharSet` method, which is used for determining the current encoding can be bypassed by using a payload in the encoding UTF-7, and adding at end of the file a comment with the value `encoding="UTF-8"` with `"`, which is matched by the first regex, so that `encoding='UTF-7'` with single quotes `'` in the XML header is not matched by the second regex. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue.

References (3)

[Exploit, Vendor Advisory] https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-7cc9-j4mv-vcjp

[Product] https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php

[Not Applicable] https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

Scores

CVSS v3 7.5

EPSS 0.0017

EPSS Percentile 38.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (3)

phpoffice/phpexcel 0Packagist

phpoffice/phpspreadsheet < 1.29.4

phpoffice/phpspreadsheet 0 - 1.29.4Packagist

Published Nov 18, 2024

Tracked Since Feb 18, 2026