CVE-2024-47873

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Nov 18, 2024
Updated: Nov 19, 2024
CWE ID 611

Summary

CVE-2024-47873 is a vulnerability affecting the PhpSpreadsheet PHP library prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0. The issue lies in the XmlScanner class's scan method and findCharSet method, which are intended to prevent XML External Entity (XXE) attacks. However, these methods can be bypassed using UCS-4 encoding and encoding guessing techniques. As a result, attackers can manipulate the library to read and execute unintended external files, leading to potential data leakage or server compromise. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 have been released to address this vulnerability.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • PHPOffice PhpSpreadsheet

Affected Vendors

  • .php/ Office