CVE-2024-48917

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Nov 18, 2024
Updated: Nov 19, 2024
CWE ID 611

Summary

CVE-2024-48917 is a new vulnerability affecting the PhpSpreadsheet PHP library. Despite previous efforts to prevent XML External Entity (XXE) attacks, the `XmlScanner` class's `scan` method can be bypassed. By using a payload in UTF-7 encoding and adding a comment with the value "encoding=UTF-8" in the file, attackers can trick the library into believing the file is UTF-8 encoded, while the actual encoding is UTF-7. This bypass allows the attacker to inject malicious XML code and execute unauthorized remote code. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 of PhpSpreadsheet have been released to address this issue.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • PHPOffice PhpSpreadsheet

Affected Vendors

  • .php/ Office