Skip to main content

Phpspreadsheet CVE-2019-12331

HIGH
Improper Restriction of XML External Entity Reference (CWE-611)
2019-11-07 cve@mitre.org
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 07, 2019 - 15:15 nvd
HIGH 8.8

DescriptionNVD

PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ‚<!ENTITY‘ and thus allowing for an xml external entity processing (XXE) attack.

AnalysisAI

PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as XML External Entity (XXE) (CWE-611), which allows attackers to read arbitrary files or perform SSRF through XML processing. PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ‚<!ENTITY‘ and thus allowing for an xml external entity processing (XXE) attack. Affected products include: Phpoffice Phpspreadsheet. Version information: before 1.8.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Disable external entity processing in XML parsers, use JSON instead of XML where possible.

CVE-2024-45291 HIGH POC
8.8 Oct 07

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Rated high severity (CVSS 8.8), this vul

CVE-2018-19277 HIGH POC
8.8 Nov 14

securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 enco

CVE-2024-48917 HIGH POC
7.5 Nov 18

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Rated high severity (CVSS 7.5), this vulnerab

CVE-2024-47873 HIGH POC
7.5 Nov 18

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Rated high severity (CVSS 7.5), this vulnerab

CVE-2024-45290 HIGH POC
7.5 Oct 07

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Rated high severity (CVSS 7.5), this vul

CVE-2024-45293 HIGH POC
7.5 Oct 07

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Rated high severity (CVSS 7.5), this vul

CVE-2024-45048 MEDIUM POC
6.5 Aug 28

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Rated medium severity (CVSS 6.5), this v

CVE-2020-7776 MEDIUM POC
6.4 Dec 09

This affects the package phpoffice/phpspreadsheet from 0.0.0. Rated medium severity (CVSS 6.4), this vulnerability is re

CVE-2024-45060 MEDIUM POC
6.1 Oct 07

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Rated medium severity (CVSS 6.1), this v

CVE-2024-45292 MEDIUM POC
5.4 Oct 07

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Rated medium severity (CVSS 5.4), this v

CVE-2024-45046 MEDIUM POC
5.4 Aug 28

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Rated medium severity (CVSS 5.4), this v

CVE-2025-22131 MEDIUM POC
5.1 Jan 20

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Rated medium severity (CVSS 5.1), this vulner

Share

CVE-2019-12331 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy