CVE-2024-45046
CVSS V2 None
CVSS V3 None
Description
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker may used a crafted spreadsheet to fully takeover a session of a user viewing spreadsheet files as HTML. This issue has been addressed in release version 2.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Overview
- CVE ID
- CVE-2024-45046
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-08-28T20:41:23.628Z
- Last Modified Date
- 2024-08-28T20:41:23.628Z
Weakness Enumerations
References
Reference URL | Reference Tags |
---|---|
https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6 | x_refsource_CONFIRM |
https://github.com/PHPOffice/PhpSpreadsheet/pull/3957 | x_refsource_MISC |
https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667 | x_refsource_MISC |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-45046 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45046 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2024-08-29 13:08:46 | Added to TrackCVE |