Haile01

**Nome do software vulnerável e versões afetadas** Versões do Spreadsheet::ParseXLSX anteriores à 0.28 **Descrição** O problema decorre do fato de a implementação da memoização não possuir restrições adequadas para células mescladas, levando a uma condição de falta de memória ao analisar um documento XLSX malicioso. Isso pode causar uma negação de serviço. **Recomendações** Para versões anteriores à 0.28, atualize para a versão 0.28 ou posterior para resolver o problema. Como solução temporária, considere implementar restrições nas células mescladas na implementação do memoize para evitar condições de falta de memória.

**Name of the Vulnerable Software and Affected Versions** Barracuda ESG Appliance versions 5.1.3.001 through 9.2.1.001 **Description** The issue is related to a case of arbitrary code execution that resides within a third-party and open-source library named Spreadsheet::ParseExcel, used by the Amavis scanner within the gateway to screen Microsoft Excel email attachments for malware. This vulnerability allowed parameter injection. Chinese hackers exploited this zero-day vulnerability to deliver malware to Barracuda Email Security Gateway (ESG) appliances and deploy backdoors on a limited number of devices. The estimated number of potentially affected devices worldwide is around 7,877, mainly distributed in the United States, China, and other countries. Google Cloud reported the detection of this vulnerability's exploitation, specifically targeting high-tech, information technology providers, and government entities, primarily in the U.S. and Asia-Pacific regions. **Recommendations** For Barracuda ESG Appliance versions 5.1.3.001 through 9.2.1.001, update to the latest version that includes the patch for this vulnerability. As a temporary workaround, consider disabling the Amavis scanner or restricting the use of the Spreadsheet::ParseExcel library until a patch is available. Barracuda has deployed a security update to all active ESG appliances, which was applied automatically, and then deployed a second patch to remediate compromised ESG appliances.

**Name of the Vulnerable Software and Affected Versions** Spreadsheet::ParseExcel version 0.65 **Description** The issue is related to the evaluation of Number format strings within the Excel parsing logic, which allows for arbitrary code execution due to passing unvalidated input from a file into a string-type `eval`. This vulnerability can be exploited when processing XLS or XLSX files that include specially crafted number formatting rules. The problem is caused by the use of data from the processed file when building the `eval` call. **Recommendations** For Spreadsheet::ParseExcel version 0.65, upgrade to version 0.66 to fix the issue. As a temporary workaround, consider disabling the use of Number format strings within the Excel parsing logic until a patch is available. Restrict access to the `eval` function to minimize the risk of exploitation. Avoid using the `eval` function with unvalidated input from files.