CVE-2024-48917
CVSS 3.1 Score 7.5 of 10 (high)
Details
Summary
CVE-2024-48917 is a new vulnerability affecting the PhpSpreadsheet PHP library. Despite previous efforts to prevent XML External Entity (XXE) attacks, the `XmlScanner` class's `scan` method can be bypassed. By using a payload in UTF-7 encoding and adding a comment with the value "encoding=UTF-8" in the file, attackers can trick the library into believing the file is UTF-8 encoded, while the actual encoding is UTF-7. This bypass allows the attacker to inject malicious XML code and execute unauthorized remote code. Versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 of PhpSpreadsheet have been released to address this issue.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- PHPOffice PhpSpreadsheet
Affected Vendors
- .php/ Office