PhpSpreadsheet HTML Writer Cross-Site Scripting Vulnerability via Custom Number Format

A cross-site scripting vulnerability has been identified in PhpSpreadsheet versions 1.30.3 and earlier, as well as 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0. The issue arises in the HTML Writer component, which fails to properly escape output when a cell uses a custom number format that includes the '@' text placeholder along with additional literal text, such as '@ "items"' or '"Total:" @'. This oversight allows an attacker to inject arbitrary HTML and JavaScript into the generated output by manipulating cell content in a crafted spreadsheet. The vulnerability has been addressed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user viewing the generated HTML.

Reproduction

To reproduce this vulnerability, create a spreadsheet using PhpSpreadsheet. Set a cell's value to include a payload, such as an image tag with an 'onerror' event. Apply a custom number format that includes the '@' placeholder with additional text, such as '@ "items"'. When the spreadsheet is processed by the HTML Writer, the payload will be injected as unescaped HTML, executing the script.

Remediation

Users can upgrade to PhpSpreadsheet versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, or 5.7.0 to address this vulnerability.