PT-2023-8146 · Unknown+4 · Spreadsheet::Parseexcel+4

Đình Hải Lê

Publicado

2023-12-21

Atualizado

2025-10-31

CVE-2023-7101

CVSS v2.0

Alta

Vetor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Spreadsheet::ParseExcel version 0.65

Description The issue is related to the evaluation of Number format strings within the Excel parsing logic, which allows for arbitrary code execution due to passing unvalidated input from a file into a string-type eval. This vulnerability can be exploited when processing XLS or XLSX files that include specially crafted number formatting rules. The problem is caused by the use of data from the processed file when building the eval call.

Recommendations For Spreadsheet::ParseExcel version 0.65, upgrade to version 0.66 to fix the issue. As a temporary workaround, consider disabling the use of Number format strings within the Excel parsing logic until a patch is available. Restrict access to the eval function to minimize the risk of exploitation. Avoid using the eval function with unvalidated input from files.

Exploit

Correção

Code Injection

Eval Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-1104CWE-94CWE-749CWE-95

Identificadores relacionados

ALT-PU-2024-15031

ALT-PU-2024-7687

ALT-PU-2024-7689

ALT-PU-2024-7717

BDU:2024-00129

BDU:2024-00130

CVE-2023-7101

DLA-3702-1

DSA-5592-1

OESA-2025-2507

OESA-2025-2508

OESA-2025-2613

OPENSUSE-SU-2024:13558-1

RSEC-2023-9

SUSE-SU-2024:0158-1

SUSE-SU-2024_0158-1

USN-6781-1

Produtos afetados

Alt Linux

Linuxmint

Spreadsheet::Parseexcel

Suse

Ubuntu

PT-2023-8146 · Unknown+4 · Spreadsheet::Parseexcel+4

CVE-2023-7101

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 81