Vulnerability Description
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a scan method which should prevent XXE attacks. However, in a bypass of the previously reported `CVE-2024-47873`, the regexes from the `findCharSet` method, which is used for determining the current encoding can be bypassed by using a payload in the encoding UTF-7, and adding at end of the file a comment with the value `encoding="UTF-8"` with `"`, which is matched by the first regex, so that `encoding='UTF-7'` with single quotes `'` in the XML header is not matched by the second regex. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Phpoffice | Phpspreadsheet | < 1.29.4 |
Related Weaknesses (CWE)
References
- https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45efProduct
- https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-7cc9-j4mv-vExploitVendor Advisory
- https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_ProcesNot Applicable
FAQ
What is CVE-2024-48917?
CVE-2024-48917 is a vulnerability with a CVSS score of 7.5 (HIGH). PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a scan method which should prevent XXE attacks. However, in a bypass of the previously reported `C...
How severe is CVE-2024-48917?
CVE-2024-48917 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-48917?
Check the references section above for vendor advisories and patch information. Affected products include: Phpoffice Phpspreadsheet.