CVE-2024-56411: 
PHP vulnerability analysis and mitigation

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. A cross-site scripting (XSS) vulnerability was discovered in versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7, affecting the hyperlink base in the HTML page header. The vulnerability was disclosed on January 3, 2025, and was assigned CVE-2024-56411 (NVD, GitHub Advisory).

The vulnerability exists in the HTML page generation functionality where the hyperlink base is not properly sanitized before being included in the page header. The issue is present in the PhpOffice\PhpSpreadsheet\Writer\Html class, specifically in the generateHTMLHeader method. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N and CVSS v4.0 score of 4.8 (Medium) with vector AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N (GitHub Advisory).

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the browser. The vulnerability can be triggered when a user views a specially crafted Excel file that has been converted to HTML format (GitHub Advisory).

The vulnerability has been patched in versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7. The fix implements additional sanitization of special characters in strings. Users are advised to upgrade to these patched versions to mitigate the vulnerability (GitHub Advisory).