CVE-2018-19277

Name of the Vulnerable Software and Affected Versions PHPOffice PhpSpreadsheet versions prior to 1.5.1

Description The issue allows a bypass of protection mechanisms for XML External Entity (XXE) attacks via UTF-7 encoding in a .xlsx file. This is achieved through the securityScan() function in PHPOffice PhpSpreadsheet.

Recommendations For PHPOffice PhpSpreadsheet versions prior to 1.5.1, update to version 1.5.1 or later to resolve the issue. As a temporary workaround, consider disabling the securityScan() function until a patch is available. Restrict access to .xlsx files to minimize the risk of exploitation. Avoid using UTF-7 encoding in .xlsx files until the issue is resolved.