PhpSpreadsheet Stored Cross-Site Scripting Vulnerability via Custom Number Formats

A stored cross-site scripting vulnerability has been identified in PhpSpreadsheet versions 4.0.0 through 5.6.0, 3.3.0 through 3.10.4, 2.2.0 through 2.4.4, 2.0.0 through 2.1.15, and 1.30.3 and prior. The issue arises in the HTML writer component, where the library fails to properly escape HTML characters in certain scenarios. Specifically, when a cell's custom number format includes the text placeholder '@' along with additional literal characters, the formatter replaces the '@' with the cell value and appends the extra characters. This alteration causes the formatted value to diverge from the original, allowing an attacker to inject malicious content that is not escaped when the spreadsheet is converted to HTML and displayed to users.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the spreadsheet.

Reproduction

To reproduce this vulnerability, upload an XLSX file containing a cell value with a cross-site scripting payload, such as an image tag (with an invalid image source) using a custom number format that includes the '@' placeholder and additional characters. When this file is processed by PhpSpreadsheet's HTML writer, the payload will be executed in the browser, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to PhpSpreadsheet versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, or 1.30.4 to address this vulnerability.