CVE-2024-48917: XXE in PHPSpreadsheet's XLSX reader
The XmlScanner class has a scan method which should prevent XXE attacks. However, we found another bypass than the previously reported CVE-2024-47873, the regexes from the findCharSet method, which is used for determining the current encoding can be bypassed by using a payload in the encoding UTF-7, and adding at end of the file a comment with the value encoding=“UTF-8” with “, which is matched by the first regex, so that encoding=‘UTF-7’ with single quotes ’ in the XML header is not matched by the second regex
References
- github.com/PHPOffice/PhpSpreadsheet
- github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php
- github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-7cc9-j4mv-vcjp
- github.com/advisories/GHSA-7cc9-j4mv-vcjp
- nvd.nist.gov/vuln/detail/CVE-2024-48917
- owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
Detect and mitigate CVE-2024-48917 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →