Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-q9jv-mm3r-j47r

GitHub Security Advisory

PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

# Bypass XSS sanitizer using the javascript protocol and special characters

**Product**: Phpspreadsheet
**Version**: version 3.6.0
**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
**CVSS vector v.3.1**: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
**CVSS vector v.4.0**: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)
**Description**: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link
**Impact**: executing arbitrary JavaScript code in the browser
**Vulnerable component**: class `PhpOffice\PhpSpreadsheet\Writer\Html`, method `generateRow`
**Exploitation conditions**: a user viewing a specially generated Excel file
**Mitigation**: additional sanitization of special characters in a string
**Researcher**: Aleksey Solovev (Positive Technologies)

# Research

The researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet.

The following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response.

*Listing 6. Source code on the server*

```
<?php

require __DIR__ . '/vendor/autoload.php';

$inputFileName = './doc/Book1.xlsx';
$spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName);
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());
```

An attacker can use special characters so that this library processes the javascript protocol with special characters and generates a HTML link.
The Excel file is unpacked and a hyperlink in the file is inserted into the `xl/worksheets/sheet1.xml` file.

![fig11](https://github.com/user-attachments/assets/b9d53f7a-6f36-4853-95f9-8aa22f81eccd)

*Figure 11. Using the javascript protocol with special characters*

Some payloads help bypass the security system and carry out a XSS attack.

*Listing 7. HTML form that demonstrates the exploitation of the XSS vulnerability*

```
jav&#x09;ascript:alert()
jav&#x0D;ascript:alert()
jav&#x0A;ascript:alert()
```

It's clear that the javascript protocol with special characters is used.

![fig12](https://github.com/user-attachments/assets/7595e88b-9848-4251-845c-2c2d8032e479)

*Figure 12. Using the javascript protocol with special characters*

Due to the special characters, the execution stream ends up on line 1543, and the link is built in HTML form with the javascript protocol.

<img width="373" alt="fig13" src="https://github.com/user-attachments/assets/3ca0c3c6-daa9-4502-ad9e-b803f308fd26" />

*Figure 13. Executing arbitrary JavaScript code*

# Credit
This vulnerability was discovered by **Aleksey Solovev (Positive Technologies)**

Affected Packages

Packagist phpoffice/phpspreadsheet
Affected versions: 3.0.0 (fixed in 3.7.0)
Packagist phpoffice/phpspreadsheet
Affected versions: 0 (fixed in 1.29.7)
Packagist phpoffice/phpspreadsheet
Affected versions: 2.0.0 (fixed in 2.1.6)
Packagist phpoffice/phpspreadsheet
Affected versions: 2.2.0 (fixed in 2.3.5)
Packagist phpoffice/phpexcel
Affected versions: 0 (last affected: 1.8.2)

Related CVEs

CVE-2024-56412

Key Information

GHSA ID
GHSA-q9jv-mm3r-j47r
Published
January 3, 2025 5:29 PM
Last Modified
March 6, 2025 6:16 PM
CVSS Score
5.0 /10
Primary Ecosystem
Packagist
Primary Package
phpoffice/phpspreadsheet
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.