GHSA-c6fv-7vh8-2rhr

Описание

Unauthorized Reflected XSS in the Accounting.php file

Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) CVSS vector v.4.0: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) Description: using the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php script, an attacker can perform a XSS-type attack Impact: executing arbitrary JavaScript code in the browser Vulnerable component: the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php file Exploitation conditions: an unauthorized user Mitigation: sanitization of the currency variable Researcher: Aleksey Solovev (Positive Technologies)

Research

The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in Accounting.php file) in Phpspreadsheet.

There is no sanitization in the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php file, which leads to the possibility of a XSS attack. Strings are formed using the currency parameter without sanitization, which is controlled by the attacker.

Figure 7. A fragment of the query in which a string and a parameter are formed without sanitization

An attacker can prepare a special HTML form that will be automatically sent to the vulnerable scenario.

Listing 4. HTML form that demonstrates the exploitation of the XSS vulnerability

After sending the script provided in Listing 4, the XSS vulnerability is exploited. Figure 8 shows the execution of arbitrary JavaScript code during the submission of a POST form.

Figure 8. Executing arbitrary JavaScript code

Credit

This vulnerability was discovered by Aleksey Solovev (Positive Technologies)