CVE-2020-7776
published 2020-12-09CVE-2020-7776: This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a…
PriorityP432medium6.4CVSS 3.1
AVNACLPRLUINSCCLILAN
EPSS
1.30%
66.9th percentile
This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpoffice | phpexcel | 0 – 1.8.2 | — |
| phpoffice | phpspreadsheet | < 1.16.0 | 1.16.0 |
| phpoffice | phpspreadsheet | >= 0 < 1.16.0 | 1.16.0 |
| phpoffice | phpspreadsheet | >= 0.0.0 < unspecified | unspecified |
CVSS provenance
nvdv3.16.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-site scripting in phpoffice/phpspreadsheet
osv·2021-05-06
CVE-2020-7776 [MEDIUM] Cross-site scripting in phpoffice/phpspreadsheet
Cross-site scripting in phpoffice/phpspreadsheet
This affects the package phpoffice/phpspreadsheet. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML.
GHSA
Cross-site scripting in phpoffice/phpspreadsheet
ghsa·2021-05-06
CVE-2020-7776 [MEDIUM] CWE-79 Cross-site scripting in phpoffice/phpspreadsheet
Cross-site scripting in phpoffice/phpspreadsheet
This affects the package phpoffice/phpspreadsheet. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792https://github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845https://snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856https://github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792https://github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845https://snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856
2020-12-09
Published