CVE-2024-45048

Name of the Vulnerable Software and Affected Versions PHPSpreadsheet versions prior to 2.2.1

Description The issue allows for a bypassing of a filter, enabling an XXE-attack. This attack can obtain contents of local files, even if error reporting is muted. Technical details about exploitation include the use of a single quote symbol to bypass the filter defined by the $pattern = '/encoding="(.*?)"/'; variable. A proof of concept involves modifying an xlsx file to include a malicious XML header, which executes when the file is opened. The estimated number of potentially affected devices worldwide is not provided, and there is no information about real-world incidents where this issue was exploited.

Recommendations For PHPSpreadsheet versions prior to 2.2.1, upgrade to version 2.2.1 to address the issue. As a temporary workaround, consider restricting the use of the vulnerable IOFactory::load() function until a patch is available. Avoid using the sharedStrings.xml file in the affected xlsx files until the issue is resolved.