What is the severity of CVE-2024-56411?

CVE-2024-56411 has a UNKNOWN severity rating. The EPSS (Exploit Prediction Scoring System) score is 0.00041, indicating a 0.0% probability of exploitation in the wild within 30 days.

When was CVE-2024-56411 published?

CVE-2024-56411 was published on January 3, 2025.

CVE-2024-56411

UNKNOWN

Published 2025-01-03T17:19:00.339Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-56411. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink base. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.

Understanding This Vulnerability

This Common Vulnerabilities and Exposures (CVE) entry provides detailed information about a security vulnerability that has been publicly disclosed. CVEs are standardized identifiers assigned by MITRE Corporation to track and catalog security vulnerabilities across software and hardware products.

The severity rating (UNKNOWN) indicates the potential impact of this vulnerability based on the CVSS (Common Vulnerability Scoring System) framework. Higher severity ratings typically indicate vulnerabilities that could lead to more significant security breaches if exploited. Security teams should prioritize remediation efforts based on severity, exploit availability, and the EPSS (Exploit Prediction Scoring System) score, which predicts the likelihood of exploitation in the wild.

If this vulnerability affects products or systems in your infrastructure, we recommend reviewing the affected products section, checking for available patches or updates from vendors, and implementing recommended workarounds or solutions until a permanent fix is available. Organizations should also monitor security advisories and threat intelligence feeds for updates about active exploitation of this vulnerability.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

PHPOffice

PhpSpreadsheet

Affected Versions:

>= 3.0.0, < 3.7.0 < 1.29.7 >= 2.0.0, < 2.1.6 >= 2.2.0, < 2.3.5

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hwcp-2h35-p66w (CNA)

https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e (CNA)

EU Vulnerability Database

Monitored by ENISA for EU cybersecurity

EU Coordination

Not EU Coordinated

Exploitation Status

No Known Exploitation

EUVD ID

View on ENISA

ENISA Analysis

Malicious code in bioql (PyPI)

Affected Products (ENISA)

phpoffice

phpspreadsheet

ENISA Scoring

CVSS Score (4.0)

4.8

/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS Score

0.170

probability

ENISA References

https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hwcp-2h35-p66w

https://nvd.nist.gov/vuln/detail/CVE-2024-56411

https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e

https://github.com/PHPOffice/PhpSpreadsheet

Data provided by ENISA EU Vulnerability Database. Last updated: October 3, 2025

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header

GHSA-hwcp-2h35-p66w

Advisory Details

# Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) **CVSS vector v.4.0**: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) **Description**: the HTML page is formed without sanitizing the hyperlink base **Impact**: executing arbitrary JavaScript code in the browser **Vulnerable component**: class `PhpOffice\PhpSpreadsheet\Writer\Html`, method `generateHTMLHeader` **Exploitation conditions**: a user viewing a specially generated Excel file **Mitigation**: additional sanitization of special characters in a string **Researcher**: Aleksey Solovev (Positive Technologies) # Research The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header in Phpspreadsheet. The following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response. *Listing 8. Source code on the server* ``` <?php require __DIR__ . '/vendor/autoload.php'; $inputFileName = './doc/Book1.xlsx'; $spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll()); ``` An attacker can embed a payload in a file property that will result in the execution of arbitrary JavaScript code. The Excel file is unpacked and a HyperlinkBase in the file is inserted into the `docProps/app.xml` file. ![fig14](https://github.com/user-attachments/assets/f68ef7fc-e78e-4424-8753-4318b6ff51c3) *Figure 14. Embedding the payload* After the changes were made, a new archive with the xlsx extension was created. At the moment of converting the xlsx file into the HTML representation, a property is obtained that participates in the formation of a string without sanitization. ![fig15](https://github.com/user-attachments/assets/0aa7398c-ddd9-4c5a-ab04-41af0236dcba) *Figure 15. Generating the HTML page header using the HyperlinkBase property* After generating and displaying the HTML representation of the XLSX file, arbitrary JavaScript code will be executed. <img width="356" alt="fig16" src="https://github.com/user-attachments/assets/c3694661-31e3-4be8-9a86-6eb4dd4647b5" /> *Figure 16. Executing arbitrary JavaScript code* # Credit This vulnerability was discovered by **Aleksey Solovev (Positive Technologies)**

Affected Packages

Packagist phpoffice/phpspreadsheet

ECOSYSTEM: ≥3.0.0 <3.7.0

Packagist phpoffice/phpspreadsheet

ECOSYSTEM: ≥0 <1.29.7

Packagist phpoffice/phpspreadsheet

ECOSYSTEM: ≥2.0.0 <2.1.6

Packagist phpoffice/phpspreadsheet

ECOSYSTEM: ≥2.2.0 <2.3.5

Packagist phpoffice/phpexcel

ECOSYSTEM: ≥0 ≤1.8.2

CVSS Scoring

CVSS Score

5.0

CVSS Vector


                                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

WEB https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hwcp-2h35-p66w

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-56411

WEB https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e

PACKAGE https://github.com/PHPOffice/PhpSpreadsheet

Advisory provided by GitHub Security Advisory Database. Published: January 3, 2025, Modified: March 6, 2025

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hwcp-2h35-p66w

https://github.com/PHPOffice/PhpSpreadsheet/commit/45052f88e04c735d56457a8ffcdc40b2635a028e

Published: 2025-01-03T17:19:00.339Z

Last Modified: 2025-01-03T17:37:25.986Z

Copied to clipboard!

CVE-2024-56411

Expert Analysis

Description

Understanding This Vulnerability

Available Exploits

Related News

Affected Products

PhpSpreadsheet

Affected Versions:

References

EU Vulnerability Database

EU Coordination

Exploitation Status

EUVD ID

ENISA Analysis

Affected Products (ENISA)

ENISA Scoring

CVSS Score (4.0)

EPSS Score

ENISA References

GitHub Security Advisories

PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header

Advisory Details

Affected Packages

CVSS Scoring

CVSS Score

CVSS Vector

References

References

Request Analysis

What to expect

Request Received!