CVE-2024-45046

Name of the Vulnerable Software and Affected Versions PHPSpreadsheet versions prior to 2.1.0

Description The issue concerns the PhpOfficePhpSpreadsheetWriterHtml component, which fails to sanitize spreadsheet styling information, such as font names. This allows an attacker to inject arbitrary JavaScript on the page, potentially leading to a full takeover of a user's session when viewing spreadsheet files as HTML.

Recommendations For versions prior to 2.1.0, upgrade to release version 2.1.0 to address the issue. As a temporary workaround, consider disabling the PhpOfficePhpSpreadsheetWriterHtml component until a patch is available. Restrict access to the vulnerable PhpOfficePhpSpreadsheetWriterHtml component to minimize the risk of exploitation. Avoid using the affected PHPSpreadsheet library for viewing spreadsheet files as HTML until the issue is resolved.