CVE-2024-45292: 
PHP vulnerability analysis and mitigation

PHPSpreadsheet, a pure PHP library for reading and writing spreadsheet files, contains a Cross-Site Scripting (XSS) vulnerability in its HTML writer component. The vulnerability exists in \PhpOffice\PhpSpreadsheet\Writer\Html which fails to sanitize "javascript:" URLs from hyperlink href attributes. This security issue was discovered and disclosed on October 7, 2024, affecting versions from 2.2.0 to 2.3.0, 2.0.0 to 2.1.1, and versions prior to 1.29.2 (GitHub Advisory).

The vulnerability has been assigned CVE-2024-45292 with a CVSS v3.1 base score of 5.4 (Medium), and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability specifically relates to the HTML writer component's handling of hyperlink href attributes, where javascript: URLs are not properly sanitized, potentially allowing for Cross-Site Scripting attacks (GitHub Advisory).

The vulnerability could allow attackers to execute malicious JavaScript code in the context of users viewing HTML output generated by the PHPSpreadsheet library. This could lead to unauthorized access to sensitive information and potential manipulation of web content (GitHub Advisory).

The vulnerability has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade to these patched versions. There are no known workarounds for this vulnerability (GitHub Advisory).