PT-2024-65: Unauthorized Reflected XSS in PhpSpreadsheet (Accounting.php)

HIGH
(8.3) CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L
THREATSCAPE

Analytics articles

What are the security threats on your network?

Check your traffic-for free
Request pilot

Vulnerability type:
  • CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vulnerability vector:

  • Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
  • Severity (CVSSv3.1): 8.2 (high)
  • Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L
  • Severity (CVSSv4.0): 8.3 (high)

Description:

The vulnerability was identified in PhpSpreadsheet, versions >= 3.0.0, < 3.7.0/ <= 1.29.6/ >= 2.0.0, <= 2.1.5/ >= 2.2.0, <= 2.3.4.

The discovered vulnerability allows an unauthorized attacker to execute arbitrary JavaScript code in the browser.

Vulnerability status: Confirmed by vendor

Date of vulnerability remediation: 27.12.2024

Recommendations:

  • Update versions >= 3.0.0, < 3.7.0 to 3.7.0 or higher
  • Update versions <= 1.29.6 to 1.29.7 or higher
  • Update versions >= 2.0.0, <= 2.1.5 to 2.1.6 or higher
  • Update versions >= 2.2.0, <= 2.3.4 to 2.3.5 or higher

Additional information: Security advisory

Researcher: Aleksey Solovev (Positive Technologies)

Identifier:
CVE-2024-56366
BDU:2025-00503
Vendor:
PHPOffice
Vulnerable product:
PhpSpreadsheet
Vulnerable version:
>= 3.0.0, < 3.7.0/ <= 1.29.6/ >= 2.0.0, <= 2.1.5/ >= 2.2.0, <= 2.3.4

Get in touch

Fill in the form and our specialists
will contact you shortly