CVE-2019-12331
https://notcve.org/view.php?id=CVE-2019-12331
PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ‚<!ENTITY‘ and thus allowing for an xml external entity processing (XXE) attack. • https://github.com/PHPOffice/PhpSpreadsheet/blob/master/CHANGELOG.md#180---2019-07-01 https://herolab.usd.de/security-advisories/usd-2019-0046 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2018-19277 – PhpSpreadsheet < 1.5.0 - XML External Entity (XXE)
https://notcve.org/view.php?id=CVE-2018-19277
securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file securityScan() en PHPOffice PhpSpreadsheet hasta la versión 1.5.0 permite la omisión de los mecanismos de protección de XEE (XML External Entity) mediante el cifrado UTF-7 en un archivo .xlsx. • https://www.exploit-db.com/exploits/46050 https://github.com/MewesK/TwigSpreadsheetBundle/issues/18 https://github.com/PHPOffice/PhpSpreadsheet/issues/771 https://www.bishopfox.com/news/2018/11/phpoffice-versions https://www.drupal.org/sa-contrib-2021-043 • CWE-91: XML Injection (aka Blind XPath Injection) •