What is CVE-2024-47873?

CVE-2024-47873 is a high-severity vulnerability in Phpoffice Phpspreadsheet, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 7.5/10. Published 2024-11-18.

How severe is CVE-2024-47873?

High severity. CVSS v3 base score is 7.5 out of 10.

XXE in Phpoffice Phpspreadsheet

CVE-2024-47873

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The XmlScanner class has a scan method which should prevent XXE attacks. However, prior to versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0, the regexes used in the `scan` m…

Vulnerability class: XXE (XML External Entity)

EPSS: 0.002 (38.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Affected products

Phpoffice Phpspreadsheet — versions < 1.29.4, >= 2.0.0, < 2.1.3, >= 2.2.0, < 2.3.2

Weakness classification (CWE)

CWE-611 — Improper Restriction of XML External Entity Reference (XXE)

References

https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-jw4x-v69f-hh5w (x_refsource_CONFIRM)
https://github.com/PHPOffice/PhpSpreadsheet/blob/39fc51309181e82593b06e2fa8e45ef8333a0335/src/PhpSpreadsheet/Reader/Security/XmlScanner.php (x_refsource_MISC)
https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing (x_refsource_MISC)
https://www.w3.org/TR/xml/#sec-guessing-no-ext-info (x_refsource_MISC)

Frequently asked questions

What is CVE-2024-47873?: CVE-2024-47873 is a high-severity vulnerability in Phpoffice Phpspreadsheet, classified under Improper Restriction of XML External Entity Reference (XXE). CVSS score: 7.5/10. Published 2024-11-18.
How severe is CVE-2024-47873?: High severity. CVSS v3 base score is 7.5 out of 10.