SCA: security update for phpoffice/phpspreadsheet (GHSA-7cc9-j4mv-vcjp)

high Tenable Cloud Security Plugin ID 411991

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. The `XmlScanner` class has a
scan method which should prevent XXE attacks. However, in a bypass of the previously reported
`CVE-2024-47873`, the regexes from the `findCharSet` method, which is used for determining the current
encoding can be bypassed by using a payload in the encoding UTF-7, and adding at end of the file a comment
with the value `encoding="UTF-8"` with `"`, which is matched by the first regex, so that
`encoding='UTF-7'` with single quotes `'` in the XML header is not matched by the second regex. An
attacker can bypass the sanitizer and achieve an XML external entity attack. Versions 1.9.4, 2.1.3, 2.3.2,
and 3.4.0 fix the issue. (CVE-2024-48917)

See Also

https://github.com/advisories/GHSA-7cc9-j4mv-vcjp

Plugin Details

Severity: High

ID: 411991

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2024-48917

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/18/2024

Vulnerability Publication Date: 11/18/2024

Reference Information

CVE: CVE-2024-48917

cwe: CWE-611