CVE-2024-56411

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 3.7.0 PhpSpreadsheet versions prior to 2.3.5 PhpSpreadsheet versions prior to 2.1.6 PhpSpreadsheet versions prior to 1.29.7

Description The issue is related to a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink base, which can allow an attacker to conduct cross-site scripting attacks. This can result in the execution of arbitrary JavaScript code in the browser. The vulnerable component is the class PhpOfficePhpSpreadsheetWriterHtml, specifically the method generateHTMLHeader. An attacker can embed a payload in a file property that will result in the execution of arbitrary JavaScript code when a user views a specially generated Excel file.

Recommendations To resolve the issue for versions prior to 3.7.0, update to version 3.7.0 or later. To resolve the issue for versions prior to 2.3.5, update to version 2.3.5 or later. To resolve the issue for versions prior to 2.1.6, update to version 2.1.6 or later. To resolve the issue for versions prior to 1.29.7, update to version 1.29.7 or later. As a temporary workaround, consider adding additional sanitization of special characters in the string used to form the HTML page header.