GHSA-hq76-662x-7mw4: 
PHP vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-hq76-662x-7mw4) has been identified in Pimcore's dependency on PHPOffice/PhpSpreadsheet, affecting multiple versions of Pimcore components. The vulnerability was published on September 3, 2024, and impacts various Pimcore packages including admin-ui-classic-bundle, data-importer, and the core Pimcore package. This security issue stems from a XXE (XML External Entity) vulnerability in PHPOffice/PhpSpreadsheet that could allow attackers to obtain contents of local files (GitHub Advisory).

The vulnerability exists due to a bypass in the encoding filter pattern '/encoding="(.*?)"/', which can be circumvented using a single quote symbol. The vulnerability has been assigned a CVSS score of 8.7, indicating high severity. The attack vector is network-based, with low attack complexity, requiring no privileges but passive user interaction. The vulnerability affects multiple versions including Pimcore admin-ui-classic-bundle (<1.3.11, <1.4.7, <1.5.4), data-importer (<1.8.9, <1.9.3), and core Pimcore packages (10.6.9.0-10.6.9.12, 11.1.0.0-11.1.6.11) (GitHub Advisory).

The successful exploitation of this vulnerability can lead to unauthorized access to local files, even when error reporting is muted by the @ symbol. The vulnerability has high impact ratings for confidentiality, integrity, and availability of the vulnerable system. This allows attackers to perform Local File Inclusion (LFI) attacks and potentially access sensitive system information (GitHub Advisory).

Users are recommended to update to the patched versions: Pimcore admin-ui-classic-bundle (1.3.11, 1.4.7, 1.5.4), data-importer (1.8.9, 1.9.3), and core Pimcore (10.6.9.12, 11.1.6.11). For PHPOffice/PhpSpreadsheet specifically, users should upgrade to version 2.2.2 (GitHub Advisory).