CVE-2024-47873 – PhpSpreadsheet XXE Payload Bypass Vulnerability

CVE ID : CVE-2024-47873

Published : Nov. 18, 2024, 5:15 p.m. | 1 hour, 1 minute ago

Description : PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the `scan` method and the findCharSet method can be bypassed by using UCS-4 and encoding guessing. An attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 fix the issue.

Severity: 7.5 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2024-47873 – PhpSpreadsheet XXE Payload Bypass Vulnerability