CVE-2024-56411 MEDIUM

CVE-2024-56411: PhpSpreadsheet has Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header

Vendor Phpoffice

Product PhpSpreadsheet

Weakness CWE-79 · XSS

Published January 3, 2025

Last update January 3, 2025

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink base. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.

Key dates

02Disclosure timeline

January 3, 2025 CVE published

January 3, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-56411

Related vulnerabilities

Identifiers

CVE CVE-2024-56411

CWE CWE-79

CVSS 4.8 / MEDIUM

Affected versions

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 3.0.0, < 3.7.0

Vendor Phpoffice

Product PhpSpreadsheet

Affected < 1.29.7

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 2.0.0, < 2.1.6

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 2.2.0, < 2.3.5

CVE-2024-56411: PhpSpreadsheet has Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header

01Description

02Disclosure timeline

03References

04Related CVE