Product: PhpSpreadsheet Version: 3.8.0 CWE-ID: CWE-918: Server-Side Request Forgery (SSRF) CVSS vector v.3.1: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVSS vector v.4.0: 8.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) Description: SSRF occurs when a processed HTML document is read and displayed in the browser Impact: Server-Side Request Forgery Vulnerable component: the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, setPath method Exploitation conditions: getting a string from the user that is passed to the HTML reader Mitigation: improved processing of the $path variable of the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class is needed Researcher: Aleksey Solovev (Positive Technologies)

Research

The researcher discovered zero-day vulnerability Server-Side Request Forgery (SSRF) (in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class) in Phpspreadsheet. The latest version (3.8.0) of the phpoffice/phpspreadsheet library was installed. Below are the details of the installation:

Listing 1. Installing the phpoffice/phpspreadsheet library

$ composer require phpoffice/phpspreadsheet --prefer-source

The code that processes the HTML string with further rendering and displaying the result in the browser. Listing 2. Executable file index.php using the PhpSpreadsheet library

<?php

require __DIR__ . '/vendor/autoload.php';

$inputFileType = 'Html';
$reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader($inputFileType);  


$inputFileName = './doc/file.html';
$spreadsheet = $reader->load($inputFileName); 

$writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); 
print($writer->generateHTMLAll());

Also, the ./doc/file.html has the following content: the img tag with the attribute, which contains the value