CVE-2024-47873
CVSS 3.1 Score 7.5 of 10 (high)
Details
Summary
CVE-2024-47873 is a vulnerability affecting the PhpSpreadsheet PHP library prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0. The issue lies in the XmlScanner class's scan method and findCharSet method, which are intended to prevent XML External Entity (XXE) attacks. However, these methods can be bypassed using UCS-4 encoding and encoding guessing techniques. As a result, attackers can manipulate the library to read and execute unintended external files, leading to potential data leakage or server compromise. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 have been released to address this vulnerability.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- PHPOffice PhpSpreadsheet
Affected Vendors
- .php/ Office