PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file

🗓️ 03 Jan 2025 16:05:26Reported by GitHub Advisory DatabaseType

Unauthorized XSS vulnerability in Convert-Online.php allows execution of arbitrary JavaScript code.

Reporter	Title	Published	Views	Family All 15
Circl	CVE-2024-56408	3 Jan 202501:11	–	circl
CNNVD	PhpSpreadsheet 安全漏洞	3 Jan 202500:00	–	cnnvd
CVE	CVE-2024-56408	3 Jan 202516:05	–	cve
Cvelist	CVE-2024-56408 PhpSpreadsheet allows unauthorized reflected XSS in `Convert-Online.php` file	3 Jan 202516:05	–	cvelist
EUVD	EUVD-2025-0053	3 Oct 202520:07	–	euvd
NVD	CVE-2024-56408	3 Jan 202516:15	–	nvd
OSV	CVE-2024-56408 PhpSpreadsheet allows unauthorized reflected XSS in `Convert-Online.php` file	3 Jan 202516:05	–	osv
OSV	GHSA-X88G-H956-M5XG PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file	3 Jan 202516:05	–	osv
Positive Technologies	PT-2024-10179 · Phpoffice · Phpspreadsheet	23 Dec 202400:00	–	ptsecurity
Positive Technologies	PT-2024-64: Unauthorized Reflected XSS in PhpSpreadsheet (Convert-Online.php)	27 Dec 202400:00	–	ptsecurity

Vulners

Node

phpoffice phpexcelRange≤1.8.2composer

phpoffice phpspreadsheetRange2.2.0–2.3.4composer

phpoffice phpspreadsheetRange2.0.0–2.1.5composer

phpoffice phpspreadsheetRange3.0.0–3.7.0composer

Source	Link
github	www.github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-x88g-h956-m5xg
github	www.github.com/PHPOffice/PhpSpreadsheet/commit/700a80346be269af668914172bc6f4521982d0b4
nvd	www.nvd.nist.gov/vuln/detail/CVE-2024-56408
github	www.github.com/PHPOffice/PhpSpreadsheet/commit/9b9a55c7154daa7cd4095f618933c240508ba3c1
github	www.github.com/PHPOffice/PhpSpreadsheet/commit/a50ebfe118b3ae0ddaea1c48ac19dc38692f4abc
github	www.github.com/PHPOffice/PhpSpreadsheet/commit/b8fac55aa5cb7a3d514c7308378bb37bb711b25e
github	www.github.com/advisories/GHSA-x88g-h956-m5xg

20 May 2025 18:30Current

5.7Medium risk

Vulners AI Score5.7

CVSS 3.15.4

CVSS 48.3

EPSS0.01392

SSVC