PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even if error reporting is muted. This vulnerability has been addressed in release version 2.2.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Link | Resource |
---|---|
https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda | Patch |
https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7 | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
04 Sep 2024, 17:27
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/PHPOffice/PhpSpreadsheet/commit/bea2d4b30f24bcc8a7712e208d1359e603b45dda - Patch | |
References | () https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-ghg6-32f9-2jp7 - Exploit, Third Party Advisory | |
First Time |
Phpoffice
Phpoffice phpspreadsheet |
|
CPE | cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
29 Aug 2024, 13:25
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
28 Aug 2024, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-28 21:15
Updated : 2024-09-04 17:27
NVD link : CVE-2024-45048
Mitre link : CVE-2024-45048
CVE.ORG link : CVE-2024-45048
JSON object : View
Products Affected
phpoffice
- phpspreadsheet
CWE
CWE-611
Improper Restriction of XML External Entity Reference