CVE-2024-45060
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in PHPSpreadsheet's sample script '45_Quadratic_equation_solver.php' that allows formula injection. Attackers can inject malicious JavaScript through user-supplied parameters that get concatenated directly into spreadsheet formulas, leading to client-side code execution. This affects anyone using vulnerable versions of PHPSpreadsample scripts in production environments.
💻 Affected Systems
- PHPSpreadsheet
📦 What is this software?
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of user sessions, credential theft, and unauthorized actions performed on behalf of authenticated users through JavaScript execution.
Likely Case
Session hijacking, data exfiltration, and defacement of web pages through injected malicious scripts.
If Mitigated
Limited impact with proper input validation and output encoding, potentially only affecting the specific sample script functionality.
🎯 Exploit Status
Exploitation requires the vulnerable sample script to be accessible and user input to be processed through it.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.29.2, 2.1.1, or 2.3.0
Vendor Advisory: https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-v66g-p9x6-v98p
Restart Required: No
Instructions:
1. Update PHPSpreadsheet to version 1.29.2, 2.1.1, or 2.3.0 using composer: 'composer require phpoffice/phpspreadsheet:^1.29.2' or appropriate version. 2. Remove any deployed sample scripts from production environments. 3. Verify the update by checking the version in composer.lock.
🔧 Temporary Workarounds
Remove sample scripts
allDelete or restrict access to the vulnerable sample script '45_Quadratic_equation_solver.php' from production environments.
rm /path/to/45_Quadratic_equation_solver.php
Input validation
allImplement strict input validation to ensure only numeric values are accepted for the vulnerable parameters.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in input parameters.
- Disable or restrict access to the vulnerable sample script using access controls or web server configuration.
🔍 How to Verify
Check if Vulnerable:
Check if '45_Quadratic_equation_solver.php' exists in your deployment and if PHPSpreadsheet version is below 1.29.2, 2.1.1, or 2.3.0.Check Version:
composer show phpoffice/phpspreadsheet | grep versionsVerify Fix Applied:
Verify PHPSpreadsheet version is 1.29.2, 2.1.1, or 2.3.0 using composer show, and ensure sample scripts are not deployed.📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests to sample script URLs containing JavaScript or formula syntax
- Error logs showing malformed input to quadratic equation solver
Network Indicators:
- HTTP requests to paths containing '45_Quadratic_equation_solver.php' with suspicious parameters
SIEM Query:
source="web_logs" AND (url="*45_Quadratic_equation_solver.php*" AND (param="*<script>*" OR param="*=*"))