CVE-2024-48917
HIGHPhpSpreadsheet < 1.29.4 - XML External Entity Injection via UTF-7 Encoding Bypass
Title source: llmDescription
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a scan method which should prevent XXE attacks. However, in a bypass of the previously reported `CVE-2024-47873`, the regexes from the `findCharSet` method, which is used for determining the current encoding can be bypassed by using a payload in the encoding UTF-7, and adding at end of the file a comment with the value `encoding="UTF-8"` with `"`, which is matched by the first regex, so that `encoding='UTF-7'` with single quotes `'` in the XML header is not matched by the second regex. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue.
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-7cc9-j4mv-vcjp
Product x_refsource_misc
https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php
Not Applicable x_refsource_misc
https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
Scores
CVSS v3
7.5
EPSS
0.0072
EPSS Percentile
48.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-611
Status
published
Products (3)
phpoffice/phpexcel
0Packagist
phpoffice/phpspreadsheet
< 1.29.4
phpoffice/phpspreadsheet
0 - 1.29.4Packagist
Published
Nov 18, 2024
Tracked Since
Feb 18, 2026