CVE-2024-45046 – This vulnerability in PHPSpreadsheet allows cro... (How to Fix)

📋 TL;DR

This vulnerability in PHPSpreadsheet allows cross-site scripting (XSS) attacks through malicious spreadsheet files. When a user views a crafted spreadsheet as HTML, attackers can inject arbitrary JavaScript to hijack user sessions. This affects any application using PHPSpreadsheet to render spreadsheets as HTML.

💻 Affected Systems

Products:

PHPSpreadsheet

Versions: Versions before 2.1.0

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the Html writer component to render spreadsheets as HTML.

📦 What is this software?

Phpspreadsheet by Phpoffice

View all CVEs affecting Phpspreadsheet →

Phpspreadsheet by Phpoffice

View all CVEs affecting Phpspreadsheet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete session takeover leading to account compromise, data theft, or further system access depending on user privileges.

🟠

Likely Case

Session hijacking leading to unauthorized access to user accounts and potential data exposure.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented elsewhere in the application.

🌐 Internet-Facing: HIGH - Any web application that allows users to upload and view spreadsheets as HTML is vulnerable to exploitation.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but attack surface is reduced compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction to open a malicious spreadsheet file, but no authentication is needed once the file is processed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.0

Vendor Advisory: https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6

Restart Required: No

Instructions:

1. Update PHPSpreadsheet via Composer: composer require phpoffice/phpspreadsheet:^2.1.0
2. Run composer update
3. Test that spreadsheet HTML rendering still works correctly

🔧 Temporary Workarounds

Disable HTML output

all

Avoid using the Html writer component and use alternative output formats like PDF or direct download of spreadsheet files.

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to block inline JavaScript execution
Validate and sanitize all user-uploaded spreadsheet files before processing

🔍 How to Verify

Check if Vulnerable:

Check composer.json or installed packages for PHPSpreadsheet version below 2.1.0

Check Version:

composer show phpoffice/phpspreadsheet | grep versions

Verify Fix Applied:

Verify PHPSpreadsheet version is 2.1.0 or higher using composer show phpoffice/phpspreadsheet

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads with spreadsheet extensions
Multiple failed HTML rendering attempts
Suspicious user agent strings during file upload

Network Indicators:

Unexpected JavaScript execution in spreadsheet viewing endpoints
Suspicious file uploads to spreadsheet processing endpoints

SIEM Query:

source="web_server" AND (uri="*spreadsheet*" OR uri="*upload*") AND (status=200 OR status=500) AND (user_agent="*curl*" OR user_agent="*wget*")

📊 Metadata

CVE ID: CVE-2024-45046

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: August 28, 2024

Last Updated: September 4, 2024

🔗 References

https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667 Patch
https://github.com/PHPOffice/PhpSpreadsheet/pull/3957 Issue Tracking,Patch
https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45046, you might also want to check these: