CVE-2019-12331

Name of the Vulnerable Software and Affected Versions PHPOffice PhpSpreadsheet versions prior to 1.8.0

Description The issue arises from the XmlScanner decoding sheet1.xml from an .xlsx file to utf-8 if a different encoding is declared in the header. This was initially intended as a security measure but is insufficient. By double-encoding the xml payload to utf-7, it is possible to bypass the check for the string <!ENTITY and thus allow for an XML external entity processing (XXE) attack.

Recommendations For versions prior to 1.8.0, update to version 1.8.0 or later to resolve the issue. As a temporary workaround, consider restricting the processing of .xlsx files with non-UTF-8 encoding declarations to minimize the risk of exploitation.