{ "id": "CVE-2024-45292", "sourceIdentifier": "security-advisories@github.com", "published": "2024-10-07T20:15:05.857", "lastModified": "2025-03-07T17:02:34.363", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [ { "lang": "en", "value": "PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\\PhpOffice\\PhpSpreadsheet\\Writer\\Html` does not sanitize \"javascript:\" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability." }, { "lang": "es", "value": "PHPSpreadsheet es una librer\u00eda PHP pura para leer y escribir archivos de hojas de c\u00e1lculo. `\\PhpOffice\\PhpSpreadsheet\\Writer\\Html` no elimina las URL \"javascript:\" de los atributos de hiperv\u00ednculo `href`, lo que genera una vulnerabilidad de cross-site scripting. Este problema se ha solucionado en las versiones de lanzamiento 1.29.2, 2.1.1 y 2.3.0. Se recomienda a todos los usuarios que actualicen la versi\u00f3n. No existen workarounds conocidas para esta vulnerabilidad." } ], "metrics": { "cvssMetricV31": [ { "source": "security-advisories@github.com", "type": "Secondary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE" }, "exploitabilityScore": 2.3, "impactScore": 2.7 }, { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE" }, "exploitabilityScore": 2.3, "impactScore": 2.7 } ] }, "weaknesses": [ { "source": "security-advisories@github.com", "type": "Secondary", "description": [ { "lang": "en", "value": "CWE-79" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.29.2", "matchCriteriaId": "9FB20F02-0DCA-4875-B1AF-E6969820AD9A" }, { "vulnerable": true, "criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.1.1", "matchCriteriaId": "79F5B018-FDB7-40DC-9B67-7312ED70808F" }, { "vulnerable": true, "criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.2.0", "versionEndExcluding": "2.3.0", "matchCriteriaId": "4B62CAAE-2E1E-42A2-9152-2DB7E3DA36A8" } ] } ] } ], "references": [ { "url": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r8w8-74ww-j4wh", "source": "security-advisories@github.com", "tags": [ "Exploit", "Vendor Advisory" ] } ] }