Home > Vulnerability Database > CVE-2024-45046

Mend.io Vulnerability Database

CVE-2024-45046

Date: August 28, 2024

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions "\PhpOffice\PhpSpreadsheet\Writer\Html" doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker may used a crafted spreadsheet to fully takeover a session of a user viewing spreadsheet files as HTML. This issue has been addressed in release version 2.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: C++

Severity Score

5.4

Related Resources (6)

Url: https://github.com/PHPOffice/PhpSpreadsheet/commit/f7cf378faed2e11cf4825bf8bafea4922ae44667

Url: https://github.com/PHPOffice/PhpSpreadsheet

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-45046

Url: https://github.com/PHPOffice/PhpSpreadsheet/pull/3957

Url: https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-wgmf-q9vr-vww6

Url: https://www.mend.io/vulnerability-database/CVE-2024-45046

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-45046

Date: August 28, 2024

Language: C++

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?