CVE-2024-56409: 
PHP vulnerability analysis and mitigation

PhpSpreadsheet, a PHP library for reading and writing spreadsheet files, was found to contain an unauthorized reflected cross-site scripting vulnerability (CVE-2024-56409). The vulnerability affects versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7, specifically in the Currency.php file. The issue was discovered by Aleksey Solovev from Positive Technologies and disclosed on January 3, 2025 (GitHub Advisory).

The vulnerability exists in the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php script due to improper input validation and sanitization. The issue stems from the lack of proper sanitization of the currency parameter, which allows attackers to inject malicious content. The vulnerability has been assigned a CVSS v4.0 score of 8.3 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L (GitHub Advisory).

Successful exploitation of this vulnerability allows attackers to execute arbitrary JavaScript code in the victim's browser. The attack can lead to high integrity impact on the vulnerable system and subsequent systems, though confidentiality impact is limited (GitHub Advisory).

The vulnerability has been patched in versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7. Users are advised to upgrade to these patched versions. The fix includes proper sanitization of the currency variable to prevent XSS attacks (GitHub Advisory).