CVE-2024-56412 MEDIUM

CVE-2024-56412: PhpSpreadsheet vulnerable to bypass of the XSS sanitizer using the javascript protocol and special characters

Vendor Phpoffice

Product PhpSpreadsheet

Weakness CWE-79 · XSS

Published January 3, 2025

Last update January 3, 2025

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

Description

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.

Key dates

Disclosure timeline

January 3, 2025 CVE published

January 3, 2025 Record updated

Identifiers

CVE CVE-2024-56412

CWE CWE-79

CVSS 4.8 / MEDIUM

Affected versions

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 3.0.0, < 3.7.0

Vendor Phpoffice

Product PhpSpreadsheet

Affected < 1.29.7

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 2.0.0, < 2.1.6

Vendor Phpoffice

Product PhpSpreadsheet

Affected >= 2.2.0, < 2.3.5