CVE-2024-56366

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 3.7.0 PhpSpreadsheet versions prior to 2.3.5 PhpSpreadsheet versions prior to 2.1.6 PhpSpreadsheet versions prior to 1.29.7

Description The issue is related to unauthorized reflected cross-site scripting in the Accounting.php file. Using the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php script, an attacker can perform a cross-site scripting attack. The vulnerability allows an attacker to execute arbitrary JavaScript code in the browser. The vulnerable component is the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php file, and the exploitation conditions involve an unauthorized user.

Recommendations Update to version 3.7.0 or later to fix the issue. Update to version 2.3.5 or later to fix the issue. Update to version 2.1.6 or later to fix the issue. Update to version 1.29.7 or later to fix the issue. As a temporary workaround, consider sanitizing the currency variable in the Accounting.php file to prevent cross-site scripting attacks. Restrict access to the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php script to minimize the risk of exploitation.