CVE-2024-45293
HIGHEPSS 85th pctlDescription
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. The security scan function in src/PhpSpreadsheet/Reader/Security/XmlScanner.php contains a flawed XML encoding check to retrieve the input file's XML encoding in the toUtf8 function. The function searches for the XML encoding through a defined regex which looks for `encoding="*"` and/or `encoding='*'`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the = in the attribute definition. Sensitive information disclosure through the XXE on sites that allow users to upload their own excel spreadsheets, and parse them using PHPSpreadsheet's Excel parser. This issue has been addressed in release versions 1.29.1, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
How to fix
Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.
CVSS v3 Vector
Exploitability
Impact
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploit Intelligence
Elevated risk: more likely to be exploited than 85% of all known CVEs.
References
Related Vulnerabilities
Other CWE-611 (XML External Entity (XXE)) vulnerabilities, ordered by exploit likelihood. View all
| CVE | Severity | CVSS | EPSS | Exploited | Fix |
|---|---|---|---|---|---|
| CVE-2024-34102 | Critical | 9.8 | 100% | KEV | Fix |
| CVE-2019-9670 | Critical | 9.8 | 100% | KEV | Fix |
| CVE-2022-28219 | Critical | 9.8 | 97% | - | - |
| CVE-2024-22024 | High | 8.3 | 95% | - | - |
| CVE-2024-38653 | High | 7.5 | 92% | - | - |
| CVE-2017-12629 | Critical | 9.8 | 92% | - | Fix |
Embed a live status badge for CVE-2024-45293
Markdown
[](https://tridentstack.com/cve/CVE-2024-45293)HTML
<a href="https://tridentstack.com/cve/CVE-2024-45293"><img src="https://tridentstack.com/cve/badge/CVE-2024-45293.svg" alt="CVE-2024-45293"></a>Find and fix vulnerabilities across your fleet
TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start freeThis product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-03-07.