CVE-2024-45293
Published: 07 October 2024
Summary
CVE-2024-45293 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Phpoffice Phpspreadsheet. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. CVE-2024-45293 is an XML External Entity (XXE) vulnerability in its XLSX reader that stems from a flawed encoding check inside the toUtf8 function of src/PhpSpreadsheet/Reader/Security/XmlScanner.php. The regex intended to detect the XML encoding declaration only matches encoding="*" or encoding='*'; any whitespace around the equals sign causes the check to fail, defaulting to UTF-8 and allowing a UTF-7 encoded XXE payload to bypass the security scanner.
An unauthenticated attacker who can upload XLSX files to a server that processes them with PHPSpreadsheet can supply a crafted spreadsheet that triggers the XXE and reads arbitrary server files or other sensitive information. The attack requires no user interaction and is exploitable over the network with low attack complexity, corresponding to the CVSS 7.5 rating and CWE-611 classification.
The GitHub Security Advisory GHSA-6hwr-6v2f-3m88 states that the issue has been fixed in PHPSpreadsheet releases 1.29.1, 2.1.1, and 2.3.0 and that no workarounds exist; all users are advised to upgrade immediately.
The EPSS score currently stands at 0.7163, its recorded peak, with no material rise from a low baseline after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2967
Vulnerability details
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users…
more
to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. The security scan function in src/PhpSpreadsheet/Reader/Security/XmlScanner.php contains a flawed XML encoding check to retrieve the input file's XML encoding in the toUtf8 function. The function searches for the XML encoding through a defined regex which looks for `encoding="*"` and/or `encoding='*'`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the = in the attribute definition. Sensitive information disclosure through the XXE on sites that allow users to upload their own excel spreadsheets, and parse them using PHPSpreadsheet's Excel parser. This issue has been addressed in release versions 1.29.1, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.