CVE-2024-45292

Exploit

EPSS 0.32%
Veröffentlicht 07.10.2024 20:15:05
Zuletzt bearbeitet 07.03.2025 16:48:11
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\PhpOffice\PhpSpreadsheet\Writer\Html` does not sanitize "javascript:" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Phpoffice ≫ Phpspreadsheet Version < 1.29.2

Phpoffice ≫ Phpspreadsheet Version >= 2.0.0 < 2.1.1

Phpoffice ≫ Phpspreadsheet Version >= 2.2.0 < 2.3.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.32%	0.23

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r8w8-74ww-j4wh

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-45292

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-45292

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-45292

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-45292