Miggo Logo

CVE-2019-12331: XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.5486%
Published
11/20/2019
Updated
3/6/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpoffice/phpspreadsheetcomposer< 1.8.01.8.0
phpoffice/phpexcelcomposer<= 1.8.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incomplete handling of encoding conversions in XML parsing. The XmlScanner's scan method relied on a regex check after a single charset conversion, which could be bypassed via double-encoded UTF-7. The toUtf8 method (in pre-1.8.0 versions) didn't re-validate the charset after conversion, allowing the payload to pass undetected. The fix in 1.8.0 added a second charset check in toUtf8 and improved libxml entity loader management, confirming these functions as the vulnerability points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P*PO**i** P*pSpr***s***t ***or* *.*.* **s *n XX* issu*. T** XmlS**nn*r ***o**s t** s***t*.xml *rom *n .xlsx to ut*-* i* som*t*in* *ls* t**n UT*-* is ***l*r** in t** *****r. T*is w*s * s**urity m**sur*m*nt to pr*v*nt *V*-****-***** *ut t** *ix is not

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* **n*lin* o* *n*o*in* *onv*rsions in XML p*rsin*. T** `XmlS**nn*r`'s `s**n` m*t*o* r*li** on * r***x ****k **t*r * sin*l* ***rs*t *onv*rsion, w*i** *oul* ** *yp*ss** vi* *ou*l*-*n*o*** UT*-*. T** `toUt**` m*t*o*