Miggo Logo

CVE-2024-45046: PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.30609%
Published
8/29/2024
Updated
3/6/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpoffice/phpspreadsheetcomposer>= 2.0.0, < 2.1.02.1.0
phpoffice/phpspreadsheetcomposer< 1.29.11.29.1
phpoffice/phpexcelcomposer<= 1.8.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from unsanitized font name input in style generation. The commit diff shows the fix added htmlspecialchars() to sanitize font names in createCSSStyleFont. Prior to this fix, a font name like 'Calibri</style><script>alert(1)</script>' would inject executable JavaScript into the HTML output. The test case 'testXssInFontName' in XssVulnerabilityTest.php demonstrates this attack vector, and the patch specifically addresses it by escaping font names.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry `\P*pO**i**\P*pSpr***s***t\Writ*r\*tml` *o*sn't s*nitiz* spr***s***t stylin* in*orm*tion su** *s *ont n*m*s, *llowin* *n *tt**k*r to inj**t *r*itr*ry J*v*S*ript on t** p***. ### Po* *x*mpl* t*r**t s*ript: ``` <?p*p r*quir* 'v*n*or/*u

Reasoning

T** vuln*r**ility st*mm** *rom uns*nitiz** *ont n*m* input in styl* **n*r*tion. T** *ommit *i** s*ows t** *ix ***** `*tmlsp**i*l***rs()` to s*nitiz* *ont n*m*s in `*r**t**SSStyl**ont`. Prior to t*is *ix, * *ont n*m* lik* '**li*ri</styl*><s*ript>*l*rt