CVE-2024-56408

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7

Description The issue is related to the lack of sanitization in the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file, which can lead to a cross-site scripting attack. An attacker can exploit this by sending a specially crafted request to the vulnerable scenario, allowing them to execute arbitrary JavaScript code in the client's browser. The quantity variable is displayed without sanitization, making it possible for an attacker to prepare a special HTML form that will be automatically sent to the vulnerable scenario.

Recommendations For versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7, update to the patched version 3.7.0, 2.3.5, 2.1.6, or 1.29.7 to resolve the issue. As a temporary workaround, consider sanitizing the quantity variable in the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file to prevent cross-site scripting attacks.