Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2024-47875 PoC — DOMPurify nesting-based mXSS

Source
https://github.com/roj1py/CVE-2024-47875-PhpSpreadsheet-XSS-PoC
Associated Vulnerability
Title:DOMPurify nesting-based mXSS (CVE-2024-47875)
Description:DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
Description
This is a PoC/Exploit for the CVE-2024-47875 PhpSpreadsheet XSS Vuln
Readme
# CVE-2025-22131 • PhpSpreadsheet HTML Writer XSS (PoC)

## Over View 
this is a PoC on the **CVE-2025-22131** , a Cross-Site Scripting (XSS) vulnerability in PhpSpreadsheet versions prior to 2.2.2, 2.1.2, and 1.29.4. The vulnerability resides in the generateNavigation() function, which fails to sanitize sheet names during XLSX-to-HTML conversion, enabling malicious JavaScript injection.

CVE ID: CVE-2024-47875

GitHub Advisory: GHSA-79xx-vf93-p7cx

Affected Versions: PhpSpreadsheet < 2.2.2, < 2.1.2, < 1.29.4

Author: Roj

License: MIT

Repository: [PoC Repo](https://github.com/roj1py/CVE-2024-47875-PhpSpreadsheet-XSS-PoC)

---
## Features
📄 Generates malicious XLSX files with customizable XSS payloads

🛠️ Supports multiple payload types:

cookie_theft: Steals session cookies

redirect: Redirects users to an attacker-controlled site

alert: Displays a test alert for PoC

keylogger: Captures keystrokes

form_hijack: Intercepts form submissions

data_exfil: Exfiltrates data from a specified endpoint

🌐 Built-in HTTP server to capture exploit callbacks

⬆️ Uploads malicious XLSX files to a target endpoint

💾 Saves captured data (e.g., cookies) to a JSON file

🎨 Colorized terminal output for enhanced readability

🔍 Verbose logging for debugging

---
## Usage
```bash
python exploit.py -h
```
🚀 Usage Examples:
```bash
#Basic cookie theft attack
python3 exploit.py http://target.htb 10.10.16.50

# Custom upload endpoint
python3 exploit.py http://app.htb 10.10.16.50 -e /api/file-upload

# Different payload types
python3 exploit.py http://target.com 10.10.16.50 -p keylogger
python3 exploit.py http://target.com 10.10.16.50 -p redirect
python3 exploit.py http://target.com 10.10.16.50 -p form_hijack

# Custom XSS payload
python3 exploit.py http://target.com 10.10.16.50 --custom "<script>fetch('/admin/delete-all')</script>"
```
---
I wich to get feedbacks , wich luck to all of you
File Snapshot

 [4.0K]  /data/pocs/cb418944705d58cd9d35968609444be1f9112b7c
├── [ 25K]  exploit.py
├── [1.0K]  LICENSE
└── [1.9K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →