CVE-2024-56366
📋 TL;DR
PhpSpreadsheet versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a reflected cross-site scripting vulnerability in the Accounting.php sample script. An attacker can inject malicious scripts that execute in victims' browsers when they visit a crafted URL. This affects any PHP application using vulnerable PhpSpreadsheet versions with the sample scripts accessible.
💻 Affected Systems
- PHPOffice PhpSpreadsheet
📦 What is this software?
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal session cookies, credentials, or perform actions as authenticated users, potentially leading to account takeover or data theft.
Likely Case
Attackers execute arbitrary JavaScript in victims' browsers, potentially stealing session data or redirecting to malicious sites.
If Mitigated
Limited impact if sample scripts are not publicly accessible or input validation blocks malicious payloads.
🎯 Exploit Status
Exploitation requires victims to visit a specially crafted URL containing malicious payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.0, 2.3.5, 2.1.6, or 1.29.7
Vendor Advisory: https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-c6fv-7vh8-2rhr
Restart Required: No
Instructions:
1. Identify your PhpSpreadsheet version. 2. Update to patched version using composer: composer require phpoffice/phpspreadsheet:"^3.7.0" (or appropriate version). 3. Verify update completed successfully.
🔧 Temporary Workarounds
Remove sample scripts
allDelete or restrict access to the vulnerable Accounting.php sample script
rm -rf vendor/phpoffice/phpspreadsheet/samples/
Block access to samples directory
allConfigure web server to deny access to the samples directory
# Apache: <Location "/vendor/phpoffice/phpspreadsheet/samples/">
Require all denied
</Location>
# Nginx: location ~ ^/vendor/phpoffice/phpspreadsheet/samples/ { deny all; }
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to block inline scripts
- Deploy WAF rules to detect and block XSS payloads in URLs
🔍 How to Verify
Check if Vulnerable:
Check if Accounting.php sample script exists and is accessible via web, and verify PhpSpreadsheet version is below patched versionsCheck Version:
composer show phpoffice/phpspreadsheet | grep versionsVerify Fix Applied:
Confirm PhpSpreadsheet version is 3.7.0+, 2.3.5+, 2.1.6+, or 1.29.7+ and sample scripts are not publicly accessible📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php with suspicious parameters
- URLs containing script tags or JavaScript in query parameters
Network Indicators:
- Unusual traffic patterns to sample script endpoints
- Requests with encoded JavaScript payloads in URL parameters
SIEM Query:
source="web_access_logs" AND uri="/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php" AND (query CONTAINS "<script>" OR query CONTAINS "javascript:")