CVE-2024-45292

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. \PhpOffice\PhpSpreadsheet\Writer\Html does not sanitize "javascript:" URLs from hyperlink href attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Published: Oct 7, 2024
Updated: May 4, 2025
CVE: CVE-2024-45292
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
phpoffice / phpspreadsheet	2.2.0	2.3.0
phpoffice / phpspreadsheet	2.0.0	2.1.1
phpoffice / phpspreadsheet	-	1.29.2

https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-r8w8-74ww-j4wh

Vulnerability Database

290,206

CVE-2024-45292