Headline
GHSA-44jg-mv3h-wj6g: solspace/craft-freeform Vulnerable to XSS in `PhpSpreadsheet` HTML Writer Due to Unsanitized Styling Data
Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
\PhpOffice\PhpSpreadsheet\Writer\Html doesn’t sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.
Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
See https://github.com/advisories/GHSA-wgmf-q9vr-vww6
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Example target script:
<?php
require 'vendor/autoload.php';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader->load(__DIR__ . '/book.xlsx');
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());
Save this file in the same directory:
Open index.php in a web browser. An alert should be displayed.
Impact
What kind of vulnerability is it? Who is impacted?
Full takeover of the session of users viewing spreadsheet files as HTML.
Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
\PhpOffice\PhpSpreadsheet\Writer\Html doesn’t sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page.
Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
See GHSA-wgmf-q9vr-vww6
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Example target script:
<?php
require 'vendor/autoload.php';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx");
$spreadsheet = $reader->load(__DIR__ . '/book.xlsx');
$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet);
print($writer->generateHTMLAll());
Save this file in the same directory:
book.xlsx
Open index.php in a web browser. An alert should be displayed.
Impact
What kind of vulnerability is it? Who is impacted?
Full takeover of the session of users viewing spreadsheet files as HTML.
References
- GHSA-wgmf-q9vr-vww6
- GHSA-44jg-mv3h-wj6g
- https://github.com/solspace/craft-freeform/releases/tag/v4.1.23