Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-wv23-996v-q229

GitHub Security Advisory

PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

# Cross-Site Scripting (XSS) vulnerability in custom properties

**Product**: Phpspreadsheet
**Version**: version 3.6.0
**CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
**CVSS vector v.3.1**: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
**CVSS vector v.4.0**: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)
**Description**: the HTML page is generated without clearing custom properties
**Impact**: executing arbitrary JavaScript code in the browser
**Vulnerable component**: class `PhpOffice\PhpSpreadsheet\Writer\Html`, method `generateMeta`
**Exploitation conditions**: a user viewing a specially generated Excel file
**Mitigation**: additional sanitization of special characters in a string
**Researcher**: Aleksey Solovev (Positive Technologies)

# Research

The researcher discovered zero-day vulnerability Cross-Site Scripting (XSS) vulnerability in custom properties in Phpspreadsheet.
The following code is written on the server, which translates the XLSX file into a HTML representation and displays it in the response.

*Listing 9. Source code on the server*

```
<?php

require __DIR__ . '/vendor/autoload.php';

$inputFileName = './doc/Book1.xlsx';
$spreadsheet = \PhpOffice\PhpSpreadsheet\IOFactory::load($inputFileName);
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());
```

An attacker can embed a payload in a file property that will result in the execution of arbitrary JavaScript code.
The Excel file is unpacked and a custom property in the file is inserted into the `docProps/custom.xml` file.

![fig17](https://github.com/user-attachments/assets/65453b48-bca5-4f5c-a683-315a7bb1ab1f)

*Figure 17. Embedding the payload*

After making the changes, a new archive with the xlsx extension was created. At the moment of converting the xlsx file into an HTML representation, a property is obtained that participates in the formation of a string without sanitization.

![fig18](https://github.com/user-attachments/assets/e0f63bfb-d9e1-4c9d-a2a9-8a0a20406cdc)

*Figure 18. Getting a custom property*

When calling the static `generateMeta` method, you can see that the key of the custom property is displayed without sanitization.

![fig19](https://github.com/user-attachments/assets/8c74e264-af68-4f62-8ac7-437e65884e86)

*Figure 19. Getting a custom property*

As a result, when viewing the excel file as the HTML representation, arbitrary JavaScript code will be executed.

<img width="356" alt="fig20" src="https://github.com/user-attachments/assets/a6ed21e3-685c-415c-b2dc-453bc0652bef" />

*Figure 20. Executing arbitrary JavaScript code*

# Credit
This vulnerability was discovered by **Aleksey Solovev (Positive Technologies)**

Affected Packages

Packagist phpoffice/phpspreadsheet
Affected versions: 3.0.0 (fixed in 3.7.0)
Packagist phpoffice/phpspreadsheet
Affected versions: 0 (fixed in 1.29.7)
Packagist phpoffice/phpspreadsheet
Affected versions: 2.0.0 (fixed in 2.1.6)
Packagist phpoffice/phpspreadsheet
Affected versions: 2.2.0 (fixed in 2.3.5)
Packagist phpoffice/phpexcel
Affected versions: 0 (last affected: 1.8.2)

Related CVEs

CVE-2024-56410

Key Information

GHSA ID
GHSA-wv23-996v-q229
Published
January 3, 2025 5:25 PM
Last Modified
March 6, 2025 6:18 PM
CVSS Score
5.0 /10
Primary Ecosystem
Packagist
Primary Package
phpoffice/phpspreadsheet
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.