CVE-2024-45293

Name of the Vulnerable Software and Affected Versions PHPSpreadsheet versions prior to 1.29.1 PHPSpreadsheet versions prior to 2.1.1 PHPSpreadsheet versions prior to 2.3.0

Description The security scanner in PHPSpreadsheet's XLSX reader can be bypassed by modifying the XML structure using white-spaces, allowing for sensitive information disclosure through XXE attacks on servers that permit users to upload their own Excel sheets. The toUtf8 function in src/PhpSpreadsheet/Reader/Security/XmlScanner.php contains a flawed XML encoding check, defaulting to UTF-8 encoding if the encoding is not found, which can be exploited by passing a UTF-7 encoded XXE payload. This issue can be used to disclose server files and sensitive information by providing a crafted Excel sheet.

Recommendations For PHPSpreadsheet versions prior to 1.29.1, upgrade to version 1.29.1 or later. For PHPSpreadsheet versions prior to 2.1.1, upgrade to version 2.1.1 or later. For PHPSpreadsheet versions prior to 2.3.0, upgrade to version 2.3.0 or later. As a temporary workaround, consider restricting the upload of Excel sheets or disabling the use of PHPSpreadsheet's Excel parser until a patch is applied.