CVE-2024-45060 HIGH

CVE-2024-45060: Unauthenticated Cross-Site-Scripting (XSS) in sample file in PHPSpreadsheet

Vendor Phpoffice
Product PhpSpreadsheet
Weakness CWE-79 · XSS
Published October 7, 2024
Last update October 8, 2024
View on NVD All CVEs

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. One of the sample scripts in PhpSpreadsheet is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of input where a number is expected leading to formula injection. The code in in `45_Quadratic_equation_solver.php` concatenates the user supplied parameters directly into spreadsheet formulas. This allows an attacker to take control over the formula and output unsanitized data into the page, resulting in JavaScript execution. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

October 7, 2024 CVE published
October 8, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-22143 WeGIA Cross-Site Scripting (XSS) Reflected endpoint 'listar_permissoes.php' parameter 'msg_e' CVE-2025-4420 Vayu Blocks <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via containerWidth Parameter CVE-2023-48730 CVE-2026-10173 Orthanc Explorer 2 URL StudyList.vue cross site scripting CVE-2024-37261 WordPress WP-Lister Lite for Amazon plugin <= 2.6.16 - Reflected Cross Site Scripting (XSS) vulnerability