CVE-2024-56409

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 3.7.0 PhpSpreadsheet versions prior to 2.3.5 PhpSpreadsheet versions prior to 2.1.6 PhpSpreadsheet versions prior to 1.29.7

Description The issue is related to unauthorized reflected cross-site scripting in the Currency.php file. Using the "/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php" script, an attacker can perform a cross-site scripting attack. The vulnerability allows an attacker to execute arbitrary JavaScript code in the browser. The vulnerable component is the "/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php" file, and the exploitation condition is an unauthorized user. The researcher discovered a zero-day vulnerability, Unauthorized Reflected Cross-Site Scripting (XSS), in the Currency.php file.

Recommendations Update to version 3.7.0 or later to secure your spreadsheets from attacks. Update to version 2.3.5 or later to secure your spreadsheets from attacks. Update to version 2.1.6 or later to secure your spreadsheets from attacks. Update to version 1.29.7 or later to secure your spreadsheets from attacks. As a temporary workaround, consider sanitizing the currency variable to prevent exploitation. Restrict access to the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php script to minimize the risk of exploitation.