Arbitrary Code Execution (ACE) vulnerability in Spreadsheet::ParseExcel version 0.65
CVE-2023-7101
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
- Version 0.65 of Spreadsheet::ParseExcel - https://metacpan.org/pod/Spreadsheet::ParseExcel
- Products that depend upon and use Spreadsheet::ParseExcel, such as Spreadsheet::ParseXLSX (https://metacpan.org/pod/Spreadsheet::ParseXLSX)
High - Arbitrary Code Execution. If parsing documents provided by a remote machine, this could result in Remote Code Execution (RCE).
High - Attackers can exploit this vulnerability by using specially crafted Number format strings within XLS and XLSX files, triggering the execution of arbitrary code during the parsing process.
Spreadsheet::ParseExcel is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.
Not currenty patched