← Back to CVE List

CVE-2024-45046

Published: 2024-08-28T21:15Z
Last Modified: 2024-09-04T17:32Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker may used a crafted spreadsheet to fully takeover a session of a user viewing spreadsheet files as HTML. This issue has been addressed in release version 2.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt