5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-45292

GHSA ID

GHSA-r8w8-74ww-j4wh

EPSS Score

0.38804%

CWE

CWE-79

Published

10/7/2024

Updated

3/6/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-45292

CVE-2024-45292: PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks

Summary

\PhpOffice\PhpSpreadsheet\Writer\Html does not sanitize "javascript:" URLs from hyperlink href attributes, resulting in a Cross-Site Scripting vulnerability.

PoC

Example target script:

<?php

require 'vendor/autoload.php';

$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader->load(__DIR__ . '/book.xlsx');

$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());

Save this file in the same directory: book.xlsx

Open index.php in a web browser and click on both links. The first demonstrates the vulnerability in a regular hyperlink and the second in a HYPERLINK() formula.

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-45292

GHSA ID

GHSA-r8w8-74ww-j4wh

EPSS Score

0.38804%

CWE

CWE-79

Published

10/7/2024

Updated

3/6/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
phpoffice/phpspreadsheet	composer	>= 2.2.0, < 2.3.0	2.3.0
phpoffice/phpspreadsheet	composer	< 1.29.2	1.29.2
phpoffice/phpspreadsheet	composer	>= 2.0.0, < 2.1.1	2.1.1
phpoffice/phpexcel	composer	<= 1.8.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the unvalidated handling of hyperlink URLs in the HTML generation process. The commit diff shows the fix was applied to the generateRow method in Html.php, where hyperlink URLs were previously embedded directly via htmlspecialchars() without protocol checks. The added validation logic in the patch (checking for allowed protocols like http/https) confirms this was the vulnerable code path. The PoC and CWE-79 classification further align with this being an XSS vector via improper output sanitization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry `\P*pO**i**\P*pSpr***s***t\Writ*r\*tml` *o*s not s*nitiz* "j*v*s*ript:" URLs *rom *yp*rlink `*r**` *ttri*ut*s, r*sultin* in * *ross-Sit* S*riptin* vuln*r**ility. ### Po* *x*mpl* t*r**t s*ript: ``` <?p*p r*quir* 'v*n*or/*utolo**.p*p';

Reasoning

T** vuln*r**ility st*ms *rom t** unv*li**t** **n*lin* o* *yp*rlink URLs in t** *TML **n*r*tion pro**ss. T** *ommit *i** s*ows t** *ix w*s *ppli** to t** `**n*r*t*Row` m*t*o* in `*tml.p*p`, w**r* *yp*rlink URLs w*r* pr*viously *m****** *ir**tly vi* `*

5.4

Basic Information

Concerned about an active attack path?

CVE-2024-45292: PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks

Summary

PoC

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI