CVE-2024-56412: 
PHP vulnerability analysis and mitigation

PhpSpreadsheet, a PHP library for reading and writing spreadsheet files, was found to contain a cross-site scripting (XSS) vulnerability identified as CVE-2024-56412. The vulnerability affects versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7, where attackers could bypass the cross-site scripting sanitizer using the javascript protocol and special characters. The vulnerability was discovered by Aleksey Solovev from Positive Technologies and disclosed on January 3, 2025 (GitHub Advisory, NVD).

The vulnerability exists in the PhpOffice\PhpSpreadsheet\Writer\Html class, specifically in the generateRow method. An attacker can exploit this by using special characters that allow the library to process the javascript protocol and generate an HTML link. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) and a CVSS v4.0 score of 4.8 (MEDIUM). The attack vector is network-based, with low attack complexity and requires low privileges with user interaction (GitHub Advisory).

When successfully exploited, the vulnerability allows attackers to execute arbitrary JavaScript code in the browser. This occurs when a user views a specially crafted Excel file that has been processed by the library. The vulnerability specifically impacts the HTML generation functionality when processing spreadsheet files (GitHub Advisory).

The vulnerability has been patched in versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7. The fix includes additional sanitization of special characters in strings. Users are advised to upgrade to these patched versions to protect against potential XSS attacks (GitHub Advisory, NVD).