2024-11-19
Platform: PhpSpreadsheet
Version: < 1.29.4, >= 2.0.0 < 2.1.3, >= 2.2.0 < 2.3.2, >= 3.3.0 < 3.4.0
Vulnerability: XXE (XML External Entity)
Severity: High
Date: October 10, 2024
What Undercode Says:
This blog post details a recently discovered XXE vulnerability in PhpSpreadsheet versions prior to 1.29.4, 2.1.3, 2.3.2, and 3.4.0. The vulnerability resides in the `XmlScanner` class’s `findCharSet` method, which is responsible for determining the file’s character encoding. An attacker can exploit this by crafting a specific payload encoded in UTF-7 and appending a specially crafted comment to bypass the sanitization mechanism. This allows for remote code execution on the vulnerable system.
The blog post also outlines steps to create a Proof-of-Concept (PoC) exploit and recommends upgrading to patched versions (1.29.4, 2.1.3, 2.3.2, or 3.4.0) to mitigate the risk.
References:
Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.help