CVE-2024-47873: 
PHP vulnerability analysis and mitigation

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files that contains a vulnerability in its XmlScanner class. The vulnerability (CVE-2024-47873) affects versions prior to 1.9.4, 2.1.3, 2.3.2, and 3.4.0. The scan method, which is designed to prevent XXE attacks, can be bypassed using UCS-4 and encoding guessing techniques (GitHub Advisory).

The vulnerability exists in the regexes used in both the scan method and the findCharSet method of the XmlScanner class. The issue allows attackers to bypass the XML external entity (XXE) sanitizer by utilizing UCS-4 encoding and exploiting the encoding guessing mechanism as described in the W3C XML specification. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating high impact on confidentiality (NVD).

When successfully exploited, this vulnerability allows attackers to bypass the sanitizer and achieve an XML external entity (XXE) attack. This can lead to unauthorized access to sensitive information, potential server-side request forgery, and exposure of internal system data (OWASP XXE).

The vulnerability has been fixed in versions 1.9.4, 2.1.3, 2.3.2, and 3.4.0. Users are strongly advised to upgrade to these patched versions to prevent potential XXE attacks (GitHub Advisory).