CVE-2024-45046: 
PHP vulnerability analysis and mitigation

CVE-2024-45046 affects PHPSpreadsheet, a pure PHP library for reading and writing spreadsheet files. The vulnerability was discovered in the HTML writer component and disclosed on August 28, 2024. The vulnerability affects versions 2.0.0 through 2.1.0 and versions prior to 1.29.1 of PHPSpreadsheet (GitHub Advisory).

The vulnerability exists in the \PhpOffice\PhpSpreadsheet\Writer\Html component which fails to properly sanitize spreadsheet styling information, such as font names. This allows an attacker to inject arbitrary JavaScript code into the generated HTML output. The vulnerability has been assigned a CVSS v3.1 score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) (GitHub Advisory, NVD).

A successful exploitation of this vulnerability could allow an attacker to achieve full session takeover of users who are viewing spreadsheet files as HTML. The vulnerability impacts both confidentiality and integrity at a low level, while availability is not affected (GitHub Advisory).

The vulnerability has been patched in PHPSpreadsheet versions 2.1.0 and 1.29.1. All users are advised to upgrade to these patched versions. There are no known workarounds for this vulnerability (NVD).