PHPOffice PhpSpreadsheet up to 1.29.0/2.1.0 Excel Parser XmlScanner.php toUtf8 xml external entity reference

Summaryinfo

A vulnerability described as problematic has been identified in PHPOffice PhpSpreadsheet up to 1.29.0/2.1.0. Affected by this issue is the function toUtf8 of the file src/PhpSpreadsheet/Reader/Security/XmlScanner.php of the component Excel Parser. The manipulation results in xml external entity reference. This vulnerability is reported as CVE-2024-45293. The attack can be launched remotely. No exploit exists. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability classified as problematic has been found in PHPOffice PhpSpreadsheet up to 1.29.0/2.1.0. Affected is the function toUtf8 of the file src/PhpSpreadsheet/Reader/Security/XmlScanner.php of the component Excel Parser. The manipulation with an unknown input leads to a xml external entity reference vulnerability. CWE is classifying the issue as CWE-611. The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. This is going to have an impact on confidentiality. CVE summarizes:

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. The security scan function in src/PhpSpreadsheet/Reader/Security/XmlScanner.php contains a flawed XML encoding check to retrieve the input file's XML encoding in the toUtf8 function. The function searches for the XML encoding through a defined regex which looks for `encoding="*"` and/or `encoding='*'`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the = in the attribute definition. Sensitive information disclosure through the XXE on sites that allow users to upload their own excel spreadsheets, and parse them using PHPSpreadsheet's Excel parser. This issue has been addressed in release versions 1.29.1, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

The advisory is available at github.com. This vulnerability is traded as CVE-2024-45293 since 08/26/2024. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details are known, but there is no available exploit.

By approaching the search of inurl:src/PhpSpreadsheet/Reader/Security/XmlScanner.php it is possible to find vulnerable targets with Google Hacking.

Upgrading to version 1.29.1, 2.1.1 or 2.3.0 eliminates this vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Vendor

• PHPOffice

Name

• PhpSpreadsheet

Version

• 1.0
• 1.1
• 1.2
• 1.3
• 1.4
• 1.5
• 1.6
• 1.7
• 1.8
• 1.9
• 1.10
• 1.11
• 1.12
• 1.13
• 1.14
• 1.15
• 1.16
• 1.17
• 1.18
• 1.19
• 1.20
• 1.21
• 1.22
• 1.23
• 1.24
• 1.25
• 1.26
• 1.27
• 1.28
• 1.29.0
• 2.0
• 2.1.0

Website

• Product: https://github.com/PHPOffice/PhpSpreadsheet/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion