CVE-2024-56412

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 3.7.0 PhpSpreadsheet versions prior to 2.3.5 PhpSpreadsheet versions prior to 2.1.6 PhpSpreadsheet versions prior to 1.29.7

Description The issue is related to the bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters so that the library processes the javascript protocol with special characters and generates an HTML link, allowing for the execution of arbitrary JavaScript code in the browser. The vulnerable component is the PhpOfficePhpSpreadsheetWriterHtml class, specifically the generateRow method. Exploitation conditions include a user viewing a specially generated Excel file.

Recommendations For versions prior to 3.7.0, update to version 3.7.0 or later. For versions prior to 2.3.5, update to version 2.3.5 or later. For versions prior to 2.1.6, update to version 2.1.6 or later. For versions prior to 1.29.7, update to version 1.29.7 or later. As a temporary workaround, consider additional sanitization of special characters in strings to prevent exploitation.