GHSA-79xx-vf93-p7cx: XSS
First published: Tue Jan 21 2025(Updated: )
### Summary The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response. ### Details When generating the HTML from an xlsx file containing multiple sheets, a navigation menu is created. This menu includes the sheet names, which are not sanitized. As a result, an attacker can exploit this vulnerability to execute JavaScript code. ```php // Construct HTML $html = ''; // Only if there are more than 1 sheets if (count($sheets) > 1) { // Loop all sheets $sheetId = 0; $html .= '<ul class="navigation">' . PHP_EOL; foreach ($sheets as $sheet) { $html .= ' <li class="sheet' . $sheetId . '"><a href="#sheet' . $sheetId . '">' . $sheet->getTitle() . '</a></li>' . PHP_EOL; ++$sheetId; } $html .= '</ul>' . PHP_EOL; } ``` ### PoC 1. Create an XLSX file with multiple sheets :  2. Generate the HTML content ```php <?php require __DIR__ . '/vendor/autoload.php'; $inputFileName = 'payload.xlsx'; $spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); $writer->writeAllSheets(); echo $writer->generateHTMLAll(); ?> ``` 3. Enjoy  ### Impact XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. Example of impacts : - Disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account (Only if HttpOnly cookie's flag is set to false). - Redirecting the user to some other page or site (like phishing websites) - Modifying the content of the current page (add a fake login page that sends credentials to the attacker). - Automatically download malicious files. - Requests access to the victim geolocation / camera. - ...
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/phpoffice/phpspreadsheet | >=2.2.0<2.3.6 | 2.3.6 |
| composer/phpoffice/phpspreadsheet | >=2.0.0<2.1.7 | 2.1.7 |
| composer/phpoffice/phpspreadsheet | <1.29.8 | 1.29.8 |
| composer/phpoffice/phpspreadsheet | >=3.0.0<3.8.0 | 3.8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-79xx-vf93-p7cx
- alias/CVE-2025-22131
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/source
- agent/last-modified-date
- agent/type
- agent/tags
- agent/softwarecombine
- agent/description
- agent/first-publish-date
- agent/event
- package-manager/composer