CVE-2024-48917: 
PHP vulnerability analysis and mitigation

PhpSpreadsheet, a PHP library for reading and writing spreadsheet files, was found to contain a vulnerability (CVE-2024-48917) in its XmlScanner class. The vulnerability was discovered as a bypass of the previously reported CVE-2024-47873, where the security mechanism designed to prevent XXE (XML External Entity) attacks could be circumvented. This vulnerability affects multiple versions of PhpSpreadsheet prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0 (GitHub Advisory).

The vulnerability exists in the XmlScanner class's findCharSet method, which is responsible for determining the current encoding. The bypass involves using a payload in UTF-7 encoding and adding a comment at the end of the file with the value encoding="UTF-8" using double quotes, which is matched by the first regex. This allows encoding='UTF-7' with single quotes in the XML header to bypass the second regex check. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with no required privileges or user interaction (GitHub Advisory, NVD).

The successful exploitation of this vulnerability allows an attacker to bypass the XML sanitizer and achieve an XML External Entity (XXE) attack. This can lead to the disclosure of confidential data, denial of service, server-side request forgery, and port scanning from the perspective of the machine where the parser is located (OWASP XXE).

The vulnerability has been fixed in PhpSpreadsheet versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0. Users are strongly advised to upgrade to these patched versions to prevent potential XXE attacks (GitHub Advisory).