Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRtcXYtZ2NyMy1wZmY5
Cross-site scripting in phpoffice/phpspreadsheet
This affects the package phpoffice/phpspreadsheet. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML.
Permalink: https://github.com/advisories/GHSA-4mqv-gcr3-pff9JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRtcXYtZ2NyMy1wZmY5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: 3 months ago
CVSS Score: 6.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Identifiers: GHSA-4mqv-gcr3-pff9, CVE-2020-7776
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-7776
- https://github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845
- https://github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792
- https://snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856
- https://github.com/PHPOffice/PhpSpreadsheet/pull/1719
- https://github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpspreadsheet/CVE-2020-7776.yaml
- https://github.com/advisories/GHSA-4mqv-gcr3-pff9
Blast Radius: 27.5
Affected Packages
packagist:phpoffice/phpspreadsheet
Dependent packages: 963Dependent repositories: 20,090
Downloads: 165,601,091 total
Affected Version Ranges: < 1.16.0
Fixed in: 1.16.0
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.10.0, 1.10.1, 1.11.0, 1.12.0, 1.13.0, 1.14.0, 1.14.1, 1.15.0
All unaffected versions: 1.16.0, 1.17.0, 1.17.1, 1.18.0, 1.19.0, 1.20.0, 1.21.0, 1.22.0, 1.23.0, 1.24.0, 1.24.1, 1.25.0, 1.25.1, 1.25.2, 1.26.0, 1.27.0, 1.27.1, 1.28.0, 1.29.0, 2.0.0