CVE-2024-45048

Опубликовано: 28 авг. 2024

Источник: nvd

CVSS3: 8.8

CVSS3: 6.5

EPSS Низкий

Описание

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even if error reporting is muted. This vulnerability has been addressed in release version 2.2.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Ссылки

https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda
Patch
https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*

Версия до 1.29.1 (исключая)

cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*

Версия от 2.0.0 (включая) до 2.2.1 (исключая)

EPSS

Процентиль: 42%

0.00202

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-611

Связанные уязвимости

GHSA-ghg6-32f9-2jp7

CVSS3: 8.8

github

больше 1 года назад

XXE in PHPSpreadsheet encoding is returned

EPSS

Процентиль: 42%

0.00202

Низкий

8.8 High

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-611