8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-12331

GHSA ID

GHSA-vvwv-h69m-wg6f

EPSS Score

0.5486%

CWE

CWE-611

Published

11/20/2019

Updated

3/6/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-12331

CVE-2019-12331: XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue

PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ?<!ENTITY? and thus allowing for an xml external entity processing (XXE) attack.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-12331

GHSA ID

GHSA-vvwv-h69m-wg6f

EPSS Score

0.5486%

CWE

CWE-611

Published

11/20/2019

Updated

3/6/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
phpoffice/phpspreadsheet	composer	< 1.8.0	1.8.0
phpoffice/phpexcel	composer	<= 1.8.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incomplete handling of encoding conversions in XML parsing. The XmlScanner's scan method relied on a regex check after a single charset conversion, which could be bypassed via double-encoded UTF-7. The toUtf8 method (in pre-1.8.0 versions) didn't re-validate the charset after conversion, allowing the payload to pass undetected. The fix in 1.8.0 added a second charset check in toUtf8 and improved libxml entity loader management, confirming these functions as the vulnerability points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P*PO**i** P*pSpr***s***t ***or* *.*.* **s *n XX* issu*. T** XmlS**nn*r ***o**s t** s***t*.xml *rom *n .xlsx to ut*-* i* som*t*in* *ls* t**n UT*-* is ***l*r** in t** *****r. T*is w*s * s**urity m**sur*m*nt to pr*v*nt *V*-****-***** *ut t** *ix is not

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* **n*lin* o* *n*o*in* *onv*rsions in XML p*rsin*. T** `XmlS**nn*r`'s `s**n` m*t*o* r*li** on * r***x ****k **t*r * sin*l* ***rs*t *onv*rsion, w*i** *oul* ** *yp*ss** vi* *ou*l*-*n*o*** UT*-*. T** `toUt**` m*t*o*

8.8

Basic Information

Concerned about an active attack path?

CVE-2019-12331: XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI