PT-2023-8146 · Unknown+4 · Spreadsheet::Parseexcel+4

Đình Hải Lê

Published

2023-12-21

Updated

2025-10-31

CVE-2023-7101

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Spreadsheet::ParseExcel version 0.65

Description The issue is related to the evaluation of Number format strings within the Excel parsing logic, which allows for arbitrary code execution due to passing unvalidated input from a file into a string-type eval. This vulnerability can be exploited when processing XLS or XLSX files that include specially crafted number formatting rules. The problem is caused by the use of data from the processed file when building the eval call.

Recommendations For Spreadsheet::ParseExcel version 0.65, upgrade to version 0.66 to fix the issue. As a temporary workaround, consider disabling the use of Number format strings within the Excel parsing logic until a patch is available. Restrict access to the eval function to minimize the risk of exploitation. Avoid using the eval function with unvalidated input from files.

Exploit

Fix

Code Injection

Eval Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1104CWE-94CWE-749CWE-95

Related Identifiers

ALT-PU-2024-15031

ALT-PU-2024-7687

ALT-PU-2024-7689

ALT-PU-2024-7717

BDU:2024-00129

BDU:2024-00130

CVE-2023-7101

DLA-3702-1

DSA-5592-1

OESA-2025-2507

OESA-2025-2508

OESA-2025-2613

OPENSUSE-SU-2024:13558-1

RSEC-2023-9

SUSE-SU-2024:0158-1

SUSE-SU-2024_0158-1

USN-6781-1

Affected Products

Alt Linux

Linuxmint

Spreadsheet::Parseexcel

Suse

Ubuntu

PT-2023-8146 · Unknown+4 · Spreadsheet::Parseexcel+4

CVE-2023-7101

Weakness Enumeration

Related Identifiers

Affected Products

References · 81