PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information

Summary

\PhpOffice\PhpSpreadsheet\Writer\Html doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.

PoC

Example target script:

<?php

require 'vendor/autoload.php';

$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader->load(__DIR__ . '/book.xlsx');

$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());

Save this file in the same directory:
book.xlsx

Open index.php in a web browser. An alert should be displayed.

Impact

Full takeover of the session of users viewing spreadsheet files as HTML.

References

oleibman published to PHPOffice/PhpSpreadsheet Aug 28, 2024

Published by the National Vulnerability Database Aug 28, 2024

Published to the GitHub Advisory Database Aug 29, 2024

Reviewed Aug 29, 2024

Last updated Sep 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Summary

PoC

Impact

References

Severity

CVSS overall score

CVSS v4 base metrics

Exploitability Metrics

Vulnerable System Impact Metrics

Subsequent System Impact Metrics

CVSS v4 base metrics

Exploitability Metrics

Vulnerable System Impact Metrics

Subsequent System Impact Metrics

EPSS score

Weaknesses

CVE ID

GHSA ID

Source code

Credits