CVE-2024-45292 MEDIUM

CVE-2024-45292: PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks

Vendor Phpoffice

Product PhpSpreadsheet

Weakness CWE-79 · XSS

Published October 7, 2024

Last update October 7, 2024

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

Description

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\PhpOffice\PhpSpreadsheet\Writer\Html` does not sanitize "javascript:" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

Disclosure timeline

October 7, 2024 CVE published

October 7, 2024 Record updated

Identifiers

CVE CVE-2024-45292

CWE CWE-79

CVSS 5.4 / MEDIUM

Affected versions

Vendor Phpoffice

Product PhpSpreadsheet

Affected < 1.29.2

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 2.0.0, < 2.1.1

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 2.2.0, < 2.3.0