PHPOffice PhpSpreadsheet before 1.8.0 Improper Restriction of XML External Entity Reference Vulnerability
PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header.
The information has been provided by Daniel Hoffmann
The original article can be found at:https://herolab.usd.de/security-advisories/usd-2019-0046/
This was a security measure to prevent the vulnerability but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ?<!ENTITY? and thus allowing for an xml external entity processing (XXE) attack.
PHPOffice PhpSpreadsheet before 1.8.0