Login Sign Up

CVE-2023-28151

5.3 MEDIUM
XXE

📋 TL;DR

This vulnerability in Independentsoft JSpreadsheet allows attackers to perform XML External Entity (XXE) injection by uploading a malicious DOCX file containing a remote DTD. This could lead to sensitive file disclosure, server-side request forgery, or denial of service. Organizations using JSpreadsheet versions before 1.1.110 are affected.

💻 Affected Systems

Products:
  • Independentsoft JSpreadsheet
Versions: All versions before 1.1.110
Operating Systems: All platforms running Java
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is triggered when processing DOCX files through the API.

📦 What is this software?

Jspreadsheet by Independentsoft

View all CVEs affecting Jspreadsheet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through file system access, sensitive data exfiltration, or remote code execution via XXE.

🟠

Likely Case

Unauthorized file read from the server, disclosure of configuration files, or internal network scanning via SSRF.

🟢

If Mitigated

Limited impact with proper input validation, network segmentation, and file upload restrictions.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires file upload capability but no authentication. Standard XXE techniques apply.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.110 and later

Vendor Advisory: https://www.independentsoft.de/jword/index.html

Restart Required: Yes

Instructions:

1. Download JSpreadsheet version 1.1.110 or later from Independentsoft website. 2. Replace existing JSpreadsheet library files. 3. Restart the application server. 4. Test DOCX file processing functionality.

🔧 Temporary Workarounds

Disable external entity processing

all

Configure XML parser to disable external entity resolution

Set XML parser properties: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true

Restrict file uploads

all

Block or sanitize DOCX file uploads at the web application level

Implement file type validation and content inspection for uploaded files

🧯 If You Can't Patch

  • Implement strict file upload validation to reject DOCX files
  • Deploy network segmentation to limit server outbound connections

🔍 How to Verify

Check if Vulnerable:

Check JSpreadsheet library version in application dependencies. If version < 1.1.110, system is vulnerable.

Check Version:

Check JSpreadsheet JAR file manifest or dependency configuration (e.g., Maven pom.xml, Gradle build.gradle)

Verify Fix Applied:

After updating, test with a safe DOCX file containing XXE payloads to confirm they are rejected.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file upload patterns
  • XML parsing errors
  • Outbound connections to unusual domains during file processing

Network Indicators:

  • HTTP requests to external DTD URLs from application server
  • Unusual outbound traffic patterns after file upload

SIEM Query:

source="application_logs" AND ("DOCX upload" OR "XML parse error") AND dest_ip NOT IN (allowed_ips)

📊 Metadata

CVE ID: CVE-2023-28151
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-611
Published: March 24, 2023
Last Updated: May 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28151, you might also want to check these:

CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)
CVE-2025-30220 9.9

This XXE vulnerability in GeoServer's GeoTools Schema class allows attackers to read arbitrary files...

Same vulnerability type (CWE-611)
CVE-2023-27874 9.9

IBM Aspera Faspex 4.4.2 contains an XML external entity injection (XXE) vulnerability that allows au...

Same vulnerability type (CWE-611)