CVE-2014-2054 — XML External Entity (XXE) Injection in Phpexcel

CWE-611 — XML External Entity (XXE) Injection4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.5%

top 32.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpoffice Phpexcel Owncloud Server Phpexcel Project Phpexcel

Timeline

PublishedJun 4

Latest updateMay 17

Description

PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶NVDowncloud/owncloud_server5.0.14+17

▶Packagistphpoffice/phpexcel< 1.8.0

▶NVDphpexcel_project/phpexcel1.7.9

🔴Vulnerability Details

OSV

PHPExcel vulnerable to XXE attacks through libxml↗2022-05-17

▶

GHSA

PHPExcel vulnerable to XXE attacks through libxml↗2022-05-17

▶

CVEList

CVE-2014-2054: PHPExcel before 1↗2014-06-04

▶