CVE-2024-48917

Name of the Vulnerable Software and Affected Versions PhpSpreadsheet versions prior to 1.9.4 PhpSpreadsheet versions prior to 2.1.3 PhpSpreadsheet versions prior to 2.3.2 PhpSpreadsheet versions prior to 3.4.0

Description The XmlScanner class in PhpSpreadsheet has a scan method that is supposed to prevent XXE attacks. However, the regexes from the findCharSet method can be bypassed by using a payload in the encoding UTF-7 and adding a comment with the value encoding="UTF-8" at the end of the file. This allows an attacker to bypass the sanitizer and achieve an XML external entity attack.

Recommendations For versions prior to 1.9.4, update to version 1.9.4 or later. For versions prior to 2.1.3, update to version 2.1.3 or later. For versions prior to 2.3.2, update to version 2.3.2 or later. For versions prior to 3.4.0, update to version 3.4.0 or later. As a temporary workaround, consider disabling the XmlScanner class until a patch is available. Restrict access to the findCharSet method to minimize the risk of exploitation. Avoid using the encoding parameter in the XML header until the issue is resolved.