CVE-2024-45290

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Oct 7, 2024

Updated: Oct 16, 2024

CWE ID 918

CWE ID 36

Summary

CVE-2024-45290 is a vulnerability affecting PHPSpreadsheet, a popular PHP library used for reading and writing spreadsheet files. An attacker can craft a malicious XLSX file containing external URLs that, when opened, allow the attacker to leak file contents using specially crafted `php://filter` URLs. This issue allows unauthorized access to files on the server or the leakage of information from arbitrary URLs, potentially exposing sensitive data such as AWS IAM credentials. There are no known workarounds for this vulnerability, and users are advised to upgrade to PHPSpreadsheet release versions 1.29.2, 2.1.1, or 2.3.0 as soon as possible. This vulnerability is different from GHSA-w9xv-qf98-ccq4 and affects a different component.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

PHPOffice PhpSpreadsheet

Affected Vendors

.php/ Office

Advisories, Assessments, and Mitigations

Back to Vulnerability Database

Platform Features

Products

Use Cases

Teams

Industries

Services

Measuring the US-China AI Gap

TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered

Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting

Know What Matters

For Customers

For Partners