Volerion logoVolerion
Volerion logoVolerion

PhpSpreadsheet Unauthorized Reflected Cross-Site Scripting Vulnerability

Vulnerability

A reflected cross-site scripting vulnerability has been identified in PhpSpreadsheet versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7. The issue arises in the constructor of the 'Downloader' class, where user-supplied GET parameters are processed without proper sanitization. This vulnerability can be exploited by an unauthorized user through the '/vendor/phpoffice/phpspreadsheet/samples/download.php' script, leading to the execution of arbitrary JavaScript in the victim's browser.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript code in the context of the user's browser session.

Reproduction

To reproduce this vulnerability, upload a malicious payload to the 'name' parameter, such as an image tag with an 'onerror' event. Then, access the 'download.php' script, which will execute the JavaScript code in the browser.

Remediation

Users can update to PhpSpreadsheet versions 3.7.0, 2.3.5, 2.1.6, or 1.29.7, all of which include a patch for this vulnerability.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
4.2
impact
1.7
exploitability
5.6
remediation
7.7
relevance
0.0
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.