2 matches found
CVE-2024-47873 PhpSpreadsheet XmlScanner bypass leads to XXE
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the scan method and the findCharSet method can be bypassed by using...
XXE in PHPSpreadsheet's XLSX reader
Summary The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel XLSX sheets, Server files and sensitive information can be disclosed by...