Login Sign Up

CVE-2024-56411

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

PhpSpreadsheet versions before 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting vulnerability in the HTML page header's hyperlink base. Attackers can inject malicious scripts that execute when users view generated HTML pages. This affects any PHP application using vulnerable PhpSpreadsheet versions to generate HTML output.

💻 Affected Systems

Products:
  • PHPOffice/PhpSpreadsheet
Versions: All versions before 3.7.0, 2.3.5, 2.1.6, and 1.29.7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications that generate HTML output using PhpSpreadsheet's HTML writer.

📦 What is this software?

Phpspreadsheet by Phpoffice

View all CVEs affecting Phpspreadsheet →

Phpspreadsheet by Phpoffice

View all CVEs affecting Phpspreadsheet →

Phpspreadsheet by Phpoffice

View all CVEs affecting Phpspreadsheet →

Phpspreadsheet by Phpoffice

View all CVEs affecting Phpspreadsheet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal session cookies, credentials, or perform actions as authenticated users when victims view maliciously crafted HTML output.

🟠

Likely Case

Limited XSS attacks against users who view HTML output from PhpSpreadsheet, potentially leading to session hijacking or credential theft.

🟢

If Mitigated

No impact if proper output encoding is applied or if HTML output isn't used.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires attacker to control hyperlink base input and victim to view resulting HTML.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.0, 2.3.5, 2.1.6, or 1.29.7

Vendor Advisory: https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hwcp-2h35-p66w

Restart Required: No

Instructions:

1. Identify your PhpSpreadsheet version. 2. Update via Composer: composer require phpoffice/phpspreadsheet:^3.7.0 (or appropriate version). 3. Test HTML generation functionality.

🔧 Temporary Workarounds

Disable HTML Output

all

Avoid using PhpSpreadsheet's HTML writer if possible.

Manual Sanitization

all

Manually sanitize hyperlink base input before passing to PhpSpreadsheet.

🧯 If You Can't Patch

  • Implement Content Security Policy headers to restrict script execution.
  • Use output encoding on all user-controlled data in HTML context.

🔍 How to Verify

Check if Vulnerable:

Check composer.json or run: composer show phpoffice/phpspreadsheet | grep version

Check Version:

composer show phpoffice/phpspreadsheet | grep version

Verify Fix Applied:

Verify version is 3.7.0+, 2.3.5+, 2.1.6+, or 1.29.7+

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTML generation errors
  • Suspicious hyperlink base values in logs

Network Indicators:

  • HTML responses containing script tags in hyperlink attributes

SIEM Query:

Search for HTML responses containing 'javascript:' in href attributes from spreadsheet generation endpoints.

📊 Metadata

CVE ID: CVE-2024-56411
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.87% exploit probability (74.8th percentile)
Published: January 3, 2025
Last Updated: March 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-56411, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)