CVE-2024-56408
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in PhpSpreadsheet's sample engineering conversion script. Attackers can inject malicious scripts that execute in users' browsers when they access the vulnerable file. This affects all PhpSpreadsheet installations using vulnerable versions where the sample file is publicly accessible.
💻 Affected Systems
- PHPOffice PhpSpreadsheet
📦 What is this software?
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
Phpspreadsheet by Phpoffice
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites if the vulnerable sample file is internet-facing.
Likely Case
Limited impact since this affects a sample file not typically used in production. Most likely scenario is defacement or limited data theft if the file is accidentally exposed.
If Mitigated
Minimal to no impact if the sample directory is properly restricted or removed from production environments.
🎯 Exploit Status
XSS exploitation is straightforward but requires the vulnerable file to be web-accessible. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.0, 2.3.5, 2.1.6, or 1.29.7 depending on your major version
Vendor Advisory: https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-x88g-h956-m5xg
Restart Required: No
Instructions:
1. Identify your PhpSpreadsheet major version (1.x, 2.x, or 3.x). 2. Update to the patched version using Composer: 'composer update phpoffice/phpspreadsheet'. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Remove sample files
allDelete or restrict access to the vulnerable sample file
rm -rf vendor/phpoffice/phpspreadsheet/samples/
Restrict web access
allConfigure web server to block access to vendor directories
# Add to .htaccess for Apache: Deny from all
# Add to nginx config: location ~ /vendor/ { deny all; }
🧯 If You Can't Patch
- Ensure the vendor directory is not web-accessible
- Remove or restrict the samples/Engineering/ directory
🔍 How to Verify
Check if Vulnerable:
Check if vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php exists and is web-accessibleCheck Version:
composer show phpoffice/phpspreadsheet | grep versionsVerify Fix Applied:
Verify PhpSpreadsheet version is 3.7.0+, 2.3.5+, 2.1.6+, or 1.29.7+ and check the file contains proper output escaping📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php with suspicious parameters
Network Indicators:
- Unusual traffic patterns to sample files
SIEM Query:
web_access_logs WHERE uri CONTAINS 'vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php' AND (params CONTAINS '<script>' OR params CONTAINS 'javascript:')🔗 References
- https://github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4
- https://github.com/PHPOffice/PhpSpreadsheet/commit/9b9a55c7154daa7cd4095f618933c240508ba3c1
- https://github.com/PHPOffice/PhpSpreadsheet/commit/a50ebfe118b3ae0ddaea1c48ac19dc38692f4abc
- https://github.com/PHPOffice/PhpSpreadsheet/commit/b8fac55aa5cb7a3d514c7308378bb37bb711b25e
- https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-x88g-h956-m5xg
- https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-x88g-h956-m5xg
