PHPOffice PhpSpreadsheet
Moderate fix4 remedies
cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*
Moderate fix4 remedies
- >= 3.0.0, < 3.7.0
- <= 1.29.6
- >= 2.0.0, <= 2.1.5
- >= 2.2.0, <= 2.3.4
PhpSpreadsheet Unauthorized Reflected Cross-Site Scripting Vulnerability in Accounting.php
Vulnerability
Patched
A reflected cross-site scripting vulnerability has been identified in PhpSpreadsheet versions 3.6.0, 2.3.4, 2.1.5, and prior to 1.29.7. The issue resides in the Accounting.php file, specifically within the NumberFormat Wizard sample. This vulnerability allows an attacker to inject malicious scripts that are executed in the context of the user's browser.
Impact
Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the victim's browser, potentially leading to session hijacking or other malicious actions.
Reproduction
To reproduce this vulnerability, send a POST request to the vulnerable Accounting.php script with a crafted currency parameter that includes JavaScript payload, such as an image tag with an 'onerror' event. This can be done manually or automated with a tool like Burp Suite.
Remediation
Users can update to PhpSpreadsheet versions 3.7.0, 2.3.5, 2.1.6, or 1.29.7, all of which include a patch for this vulnerability.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
4.2impact
1.0exploitability
5.6remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.