CVE-2024-45046: PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information

First published: Wed Aug 28 2024(Updated: )

### Summary `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. ### PoC Example target script: ``` <?php require 'vendor/autoload.php'; $reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx"); $spreadsheet = $reader->load(__DIR__ . '/book.xlsx'); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll()); ``` Save this file in the same directory: [book.xlsx](https://github.com/PHPOffice/PhpSpreadsheet/files/15212797/book.xlsx) Open index.php in a web browser. An alert should be displayed. ### Impact Full takeover of the session of users viewing spreadsheet files as HTML.

Credit: security-advisories@github.com security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/title
• agent/weakness
• agent/type
• agent/first-publish-date
• agent/severity
• agent/references
• agent/description
• agent/author
• collector/mitre-cve
• source/MITRE
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-wgmf-q9vr-vww6
• alias/CVE-2024-45046
• agent/software-canonical-lookup
• agent/remedy
• agent/last-modified-date
• collector/nvd-api
• source/NVD
• agent/software-canonical-lookup-request
• agent/softwarecombine
• collector/nvd-cve
• agent/event
• collector/github-advisory
• agent/tags
• agent/trending
• package-manager/composer
• vendor/phpoffice
• canonical/phpoffice phpspreadsheet
• version/phpoffice phpspreadsheet/2.0.0