CVE-2024-56410

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 3.7.0 PhpSpreadsheet versions prior to 2.3.5 PhpSpreadsheet versions prior to 2.1.6 PhpSpreadsheet versions prior to 1.29.7

Description The issue is related to a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties, which can allow an attacker to execute arbitrary JavaScript code in the browser. The vulnerable component is the PhpOfficePhpSpreadsheetWriterHtml class, specifically the generateMeta method. An attacker can embed a payload in a file property that will result in the execution of arbitrary JavaScript code when the Excel file is converted to an HTML representation.

Recommendations For versions prior to 3.7.0, update to version 3.7.0 or later. For versions prior to 2.3.5, update to version 2.3.5 or later. For versions prior to 2.1.6, update to version 2.1.6 or later. For versions prior to 1.29.7, update to version 1.29.7 or later. As a temporary workaround, consider additional sanitization of special characters in strings to minimize the risk of exploitation.