CVE-2024-45293— XML External Entity Reference (XXE) in PHPSpreadsheet's XLSX reader
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-45293
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
XML External Entity Reference (XXE) in PHPSpreadsheet's XLSX reader
Source: NVD (National Vulnerability Database)
Vulnerability Description
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. The security scan function in src/PhpSpreadsheet/Reader/Security/XmlScanner.php contains a flawed XML encoding check to retrieve the input file's XML encoding in the toUtf8 function. The function searches for the XML encoding through a defined regex which looks for `encoding="*"` and/or `encoding='*'`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the = in the attribute definition. Sensitive information disclosure through the XXE on sites that allow users to upload their own excel spreadsheets, and parse them using PHPSpreadsheet's Excel parser. This issue has been addressed in release versions 1.29.1, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
XML外部实体引用的不恰当限制(XXE)
Source: NVD (National Vulnerability Database)
Vulnerability Title
PhpSpreadsheet 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
PhpSpreadsheet是PHPOffice开源的一款用于读取和写入电子表格文件的PHP库。 PhpSpreadsheet存在安全漏洞。攻击者利用该漏洞通过提供特制的工作表来泄露服务器文件和敏感信息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| PHPOffice | PhpSpreadsheet | >= 2.2.0, < 2.3.0 | - |
II. Public POCs for CVE-2024-45293
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | The PHPSpreadsheet library used by the plugin is affected by an XXE as the security scanner that prevents XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files, and sensitive information can be disclosed by providing a crafted sheet. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-45293.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-45293
请登录查看更多情报信息。
Same Patch Batch · PHPOffice · 2024-10-07 · 5 CVEs total
| CVE-2024-45290 | 7.7 HIGH | Path traversal and Server-Side Request Forgery when opening XLSX files in PHPSpreadsheet |
| CVE-2024-45060 | 7.1 HIGH | Unauthenticated Cross-Site-Scripting (XSS) in sample file in PHPSpreadsheet |
| CVE-2024-45291 | 6.3 MEDIUM | Path traversal and Server-Side Request Forgery in HTML writer when embedding images is ena |
| CVE-2024-45292 | 5.4 MEDIUM | PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks |
IV. Related Vulnerabilities
Same product: PhpSpreadsheet
- CVE-2026-40296
PhpSpreadsheet vulnerable to XSS in HTML writer via custom n - CVE-2026-35453
PhpSpreadsheet XSS via number format text substitution in HT - CVE-2026-34084
PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFac - CVE-2025-54370
PhpSpreadsheet vulnerable to SSRF when reading and displayin - CVE-2025-23210
Bypass XSS sanitizer using the javascript protocol and speci
Same vendor: PHPOffice
- CVE-2026-40296
PhpSpreadsheet vulnerable to XSS in HTML writer via custom n - CVE-2026-35453
PhpSpreadsheet XSS via number format text substitution in HT - CVE-2026-34084
PhpSpreadsheet SSRF and RCE via PHP stream wrappers in IOFac - CVE-2025-54370
PhpSpreadsheet vulnerable to SSRF when reading and displayin - CVE-2025-48882
PHPOffice Math allows XXE when processing an XML file in the
Same weakness: CWE-611
- CVE-2026-41936
Vvveb < 1.0.8.2 XML External Entity Injection via Import - CVE-2026-40682
Apache OpenNLP: XXE via Dictionary Parsing in DictionaryEntr - CVE-2026-6501
ILM Informatique jOpenDocument 代码问题漏洞 - CVE-2025-14543
Improper Restriction of XML External Entity Reference vulner - CVE-2024-13971
Arbitrary File Read and Server Side Request Forgery via XML
V. Comments for CVE-2024-45293
Anonymous User
2025-10-04 15:09:29Plunge into the massive universe of EVE Online. Start your journey today. Explore alongside hundreds of thousands of explorers worldwide. <a href=https://www.eveonline.com/signup?invc=46758c20-63e3-4816-aa0e-f91cff26ade4>Join now</a>