CVE-2015-3542: 
PHP vulnerability analysis and mitigation

CVE-2015-3542 is an XML External Entity (XXE) vulnerability discovered in PHPExcel library versions prior to 1.8.1. The vulnerability was identified and disclosed on April 29, 2015, affecting the XML-based file readers in the PHPExcel library (GitHub Advisory).

The vulnerability exists in the XML file scanning functionality of XML-based Readers in PHPExcel, which could allow XML Entity Expansion (XEE) attacks. The issue affects multiple XML processing components including Excel2003XML, Excel2007, Gnumeric, and OOCalc readers. The vulnerability has been assigned a high severity rating with a CVSS v4.0 base score of 8.7, with attack vector being Network, attack complexity Low, and requiring no privileges or user interaction (GitHub Advisory).

A successful exploitation of this vulnerability could allow attackers to perform XML External Entity (XXE) attacks, potentially leading to unauthorized disclosure of sensitive information, denial of service through resource exhaustion, or server-side request forgery (GitHub Advisory).

The vulnerability has been fixed in PHPExcel version 1.8.1. Users are advised to upgrade to this version or later. The fix includes implementation of security scanning for XML files in XML-based Readers to prevent XML Entity Expansion attacks (PHPExcel Commit).