CVE-2024-45293: 
PHP vulnerability analysis and mitigation

PHPSpreadsheet, a pure PHP library for reading and writing spreadsheet files, was found to contain a security vulnerability (CVE-2024-45293) related to XXE attacks in the XLSX reader. The vulnerability was discovered on October 7, 2024, affecting versions prior to 1.29.1, 2.0.0 to 2.1.1, and 2.2.0 to 2.3.0. The security scanner responsible for preventing XXE attacks could be bypassed by modifying the XML structure using white-spaces (GitHub Advisory).

The vulnerability exists in the security scan function within src/PhpSpreadsheet/Reader/Security/XmlScanner.php, which contains a flawed XML encoding check in the toUtf8 function. The function searches for XML encoding through a defined regex looking for encoding="*" and/or encoding='*'. If not found, it defaults to UTF-8 encoding, bypassing the conversion logic. This can be exploited by passing a UTF-7 encoded XXE payload and utilizing whitespace before or after the = in the attribute definition. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows sensitive information disclosure through XXE on sites that permit users to upload their own Excel spreadsheets and parse them using PHPSpreadsheet's Excel parser. Server files and sensitive information can be disclosed by providing a crafted sheet (GitHub Advisory).

The vulnerability has been addressed in release versions 1.29.1, 2.1.1, and 2.3.0. All users are advised to upgrade to these patched versions. There are no known workarounds for this vulnerability (GitHub Advisory).