Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qbXB4LTY4NnYtYzN3eM4ABC8h
PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class
Unauthorized Reflected XSS in the constructor of the Downloader class
Product: Phpspreadsheet
Version: version 3.6.0
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N)
CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L)
Description: using the /vendor/phpoffice/phpspreadsheet/samples/download.php script, an attacker can perform a XSS-type attack
Impact: execution of arbitrary JavaScript code in the browser
Vulnerable component: the constructor of the Downloader class
Exploitation conditions: an unauthorized user
Mitigation: sanitization of the name and type variables
Researcher: Aleksey Solovev (Positive Technologies)
Research
The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in the constructor of the Downloader class) in Phpspreadsheet.
The latest version (3.6.0) of the phpoffice/phpspreadsheet library was installed. The installation was carried out with the inclusion of examples.
Listing 1. Installing the phpoffice/phpspreadsheet library
$ composer require phpoffice/phpspreadsheet --prefer-source
The ./vendor/phpoffice/phpspreadsheet/samples/download.php file processes the GET parameters name and type.
Figure 1. The ./vendor/phpoffice/phpspreadsheet/samples/download.php file accepts GET parameters.
Consider the constructor of the Downloader class, where GET parameters are passed. Error is displayed without sanitization using GET parameters transmitted from the user.
Figure 2. Error is displayed without sanitization
When clicking on the following link, arbitrary JavaScript code will be executed.
Listing 2.
https://192.***.***.***/vendor/phpoffice/phpspreadsheet/samples/download.php?name=%3Cimg%20src=1%20onerror=alert()%3E&type=1
Demonstration of the execution of arbitrary JavaScript code.
Figure 3. Executing arbitrary JavaScript code
Credit
This vulnerability was discovered by Aleksey Solovev (Positive Technologies)
Permalink: https://github.com/advisories/GHSA-jmpx-686v-c3wxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qbXB4LTY4NnYtYzN3eM4ABC8h
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 20 days ago
Updated: 20 days ago
CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
EPSS Percentage: 0.00043
EPSS Percentile: 0.11007
Identifiers: GHSA-jmpx-686v-c3wx, CVE-2024-56365
References:
- https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-jmpx-686v-c3wx
- https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4#diff-fbb0f53a5c68eeeffaa9ab35552c0b01740396f1a4045af5d2935ec2a62a7816
- https://nvd.nist.gov/vuln/detail/CVE-2024-56365
- https://github.com/advisories/GHSA-jmpx-686v-c3wx
Blast Radius: 30.6
Affected Packages
packagist:phpoffice/phpspreadsheet
Dependent packages: 1,063Dependent repositories: 20,090
Downloads: 210,771,905 total
Affected Version Ranges: >= 2.2.0, <= 2.3.4, >= 2.0.0, <= 2.1.5, <= 1.29.6, >= 3.0.0, < 3.7.0
Fixed in: 2.3.5, 2.1.6, 1.29.7, 3.7.0
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.13.0, 1.14.0, 1.14.1, 1.15.0, 1.16.0, 1.17.0, 1.17.1, 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.24.0, 1.24.1, 1.25.0, 1.25.1, 1.25.2, 1.26.0, 1.27.0, 1.27.1, 1.28.0, 1.29.0, 1.29.1, 1.29.2, 1.29.3, 1.29.4, 1.29.5, 1.29.6, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 3.3.0, 3.4.0, 3.5.0, 3.6.0
All unaffected versions: 1.29.7, 1.29.8, 2.1.6, 2.1.7, 2.3.5, 2.3.6, 3.7.0, 3.8.0