PhpSpreadsheet Unauthorized Reflected Cross-Site Scripting Vulnerability in Currency.php

A reflected cross-site scripting vulnerability has been identified in PhpSpreadsheet versions 3.6.0, 2.3.4, 2.1.5, and prior to 1.29.7. The issue arises in the 'Currency.php' file, where user-controlled input is not properly sanitized, allowing for the injection of malicious scripts. This vulnerability can be exploited by an unauthorized user through the '/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php' script.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the victim's browser, potentially leading to session hijacking or other malicious actions.

Reproduction

To reproduce this vulnerability, send a POST request to the 'Currency.php' script with a crafted 'currency' parameter that includes JavaScript code, such as an image tag with an 'onerror' event. The absence of proper input sanitization will result in the execution of the injected script in the context of the user's browser.

Remediation

Users can update to PhpSpreadsheet versions 3.7.0, 2.3.5, 2.1.6, or 1.29.7, all of which include a patch for this vulnerability.