Описание
PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information
Summary
\PhpOffice\PhpSpreadsheet\Writer\Html doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.
PoC
Example target script:
Save this file in the same directory: book.xlsx
Open index.php in a web browser. An alert should be displayed.
Impact
Full takeover of the session of users viewing spreadsheet files as HTML.
Пакеты
phpoffice/phpspreadsheet
>= 2.0.0, < 2.1.0
2.1.0
phpoffice/phpspreadsheet
< 1.29.1
1.29.1
phpoffice/phpexcel
<= 1.8.2
Отсутствует
Связанные уязвимости
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker may used a crafted spreadsheet to fully takeover a session of a user viewing spreadsheet files as HTML. This issue has been addressed in release version 2.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.