Bytehope

**Name of the Vulnerable Software and Affected Versions** PHPSpreadsheet versions prior to 2.2.1 **Description** The issue allows for a bypassing of a filter, enabling an XXE-attack. This attack can obtain contents of local files, even if error reporting is muted. Technical details about exploitation include the use of a single quote symbol to bypass the filter defined by the `$pattern = '/encoding="(.*?)"/';` variable. A proof of concept involves modifying an xlsx file to include a malicious XML header, which executes when the file is opened. The estimated number of potentially affected devices worldwide is not provided, and there is no information about real-world incidents where this issue was exploited. **Recommendations** For PHPSpreadsheet versions prior to 2.2.1, upgrade to version 2.2.1 to address the issue. As a temporary workaround, consider restricting the use of the vulnerable `IOFactory::load()` function until a patch is available. Avoid using the `sharedStrings.xml` file in the affected xlsx files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** aiohttp versions prior to 3.9.4 **Description** The issue is related to an infinite loop that occurs when the aiohttp server processes a specially crafted POST (multipart/form-data) request. This allows an attacker to stop the application from serving requests after sending a single request, resulting in a denial of service. The attacker can send a malicious request to the server, causing it to enter an infinite loop and become unable to process further requests. **Recommendations** For versions prior to 3.9.4, upgrade to version 3.9.4 or later to resolve the issue. As a temporary workaround, users unable to upgrade can manually apply a patch to their systems by modifying the ` read chunk from length()` function in `aiohttp/multipart.py` to include the necessary checks for the end of the file. Restrict access to the vulnerable `multipart.py` module to minimize the risk of exploitation until a patch is applied. Avoid using the `multipart/form-data` request type in the affected API endpoint until the issue is resolved.