Lucene search
K

7 matches found

RedhatCVE
RedhatCVE
added 2025/02/05 8:28 a.m.15 views

CVE-2024-47873

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the scan method and the findCharSet method can be bypassed by using...

7.5CVSS6.5AI score0.0076EPSS
Exploits1References1
OSV
OSV
added 2024/11/18 8:1 p.m.35 views

GHSA-7CC9-J4MV-VCJP XXE in PHPSpreadsheet's XLSX reader

Summary The XmlScanner class has a scan method which should prevent XXE attacks. However, we found another bypass than the previously reported CVE-2024-47873, the regexes from the findCharSet method, which is used for determining the current encoding can be bypassed by using a payload in the...

7.5CVSS7.5AI score0.00718EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2024/11/18 8:1 p.m.360 views

XXE in PHPSpreadsheet's XLSX reader

Summary The XmlScanner class has a scan method which should prevent XXE attacks. However, we found another bypass than the previously reported CVE-2024-47873, the regexes from the findCharSet method, which is used for determining the current encoding can be bypassed by using a payload in the...

7.5CVSS7.5AI score0.00718EPSS
Exploits1References5Affected Software2
CVE
CVE
added 2024/11/18 7:48 p.m.68 views

CVE-2024-48917

CVE-2024-48917 (PhpSpreadsheet XXE bypass) : The XmlScanner in PhpSpreadsheet can be bypassed via the encoding detection logic (findCharSet) when processing XML with UTF-7 payloads, allowing an XML External Entity attack. A comment injection at the end of the file encoding tag (e.g., encoding="UT...

7.5CVSS7.5AI score0.00718EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2024/11/18 5:3 p.m.31 views

CVE-2024-47873 PhpSpreadsheet XmlScanner bypass leads to XXE

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the scan method and the findCharSet method can be bypassed by using...

7.5CVSS7.2AI score0.0076EPSS
Exploits1References4
CVE
CVE
added 2024/11/18 5:3 p.m.87 views

CVE-2024-47873

PhpSpreadsheet's XML scanner contains a bypass that can enable XML External Entity (XXE) attacks. The findCharSet/scan logic can be bypassed by encoding tricks (e.g., UCS-4, UTF-7) and encoding guessing, allowing sanitizers to be circumvented. Affected versions are prior to 1.9.4, 2.1.3, 2.3.2, a...

7.5CVSS7.4AI score0.0076EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2024/11/18 5:3 p.m.19 views

CVE-2024-47873 PhpSpreadsheet XmlScanner bypass leads to XXE

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the scan method and the findCharSet method can be bypassed by using...

7.5CVSS6.6AI score0.0076EPSS
Exploits1References6
Rows per page
Query Builder