CVE-2024-56364
Description
SimpleXLSX is software for parsing and retrieving data from Excel XLSx files. Starting in 1.0.12 and ending in 1.1.13, when calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. This vulnerability is fixed in 1.1.13.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SimpleXLSX library versions 1.0.12–1.1.13 allow arbitrary JavaScript execution via the toHTMLEx method, fixed in 1.1.13.
Vulnerability
Overview
SimpleXLSX, a PHP library for parsing Excel XLSx files, contains a cross-site scripting (XSS) vulnerability in versions 1.0.12 through 1.1.13. When the extended toHTMLEx method is called, user-controlled data from the spreadsheet can be rendered without proper sanitization, allowing an attacker to inject arbitrary JavaScript code [1].
Exploitation
Details
The vulnerability is triggered by crafting a malicious XLSx file containing JavaScript payloads in cell content or other fields that are processed by the toHTMLEx method. No authentication is required beyond the ability to supply a file to the library; the attack surface is any application that uses SimpleXLSX to convert spreadsheet data to HTML and displays the output to users [1].
Impact
Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser when the generated HTML is viewed. This can lead to session hijacking, data theft, or other client-side attacks. The vulnerability is classified as medium severity (CVSS 5.4) [1].
Mitigation
The issue is patched in version 1.1.13. Users should upgrade immediately. No workarounds are documented; applications relying on the toHTMLEx method should avoid processing untrusted XLSx files until updated [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shuchkin/simplexlsxPackagist | >= 1.0.12, < 1.1.13 | 1.1.13 |
Affected products
31.0.12, 1.0.13, 1.0.14, …+ 1 more
- (no CPE)range: 1.0.12, 1.0.13, 1.0.14, …
- (no CPE)range: >=1.0.12, <=1.1.13
Patches
12 files changed · +8 −5
CHANGELOG.md+3 −0 modified@@ -1,5 +1,8 @@ # Changelog +# 1.1.13 (2024-12-21) +* fixed css colors vulnerability + # 1.1.12 (2024-12-11) * fixed toHTMLEx css vulnerability
src/SimpleXLSXEx.php+5 −5 modified@@ -128,10 +128,10 @@ public function readThemeColors() 'accent6','hlink','folHlink']; foreach ($colors12 as $c) { $v = $this->xlsx->theme->themeElements->clrScheme->{$c}; - if (isset($v->sysClr)) { - $this->themeColors[] = substr((string) $v->sysClr['lastClr'], 0, 6); - } elseif (isset($v->srgbClr)) { - $this->themeColors[] = substr((string) $v->srgbClr['val'], 0, 6); + if (isset($v->sysClr) && preg_match('/^[A-F0-9]{6}$/', (string) $v->sysClr['lastClr'])) { + $this->themeColors[] = (string) $v->sysClr['lastClr']; + } elseif (isset($v->srgbClr) && preg_match('/^[A-F0-9]{6}$/', (string) $v->srgbClr['val'])) { + $this->themeColors[] = (string) $v->srgbClr['val']; } else { $this->themeColors[] = null; } @@ -617,7 +617,7 @@ public function getColorValue(SimpleXMLElement $a = null, $default = '') return $default; } $c = $default; // auto - if ($a['rgb'] !== null) { + if ($a['rgb'] !== null && preg_match('/^[A-F0-9]{8}$/', (string) $a['rgb'])) { $c = substr((string) $a['rgb'], 2, 6); // FFCCBBAA -> CCBBAA } elseif ($a['indexed'] !== null && isset(static::$IC[ (int) $a['indexed'] ])) { $c = static::$IC[ (int) $a['indexed'] ];
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.