CVE-2020-7776Cross-site Scripting in Phpspreadsheet

CWE-79Cross-site Scripting4 documents4 sources
Severity
6.4MEDIUMNVD
CNA7.1
EPSS
0.3%
top 43.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Phpoffice PhpspreadsheetPhpoffice Phpexcel
Timeline
PublishedDec 9
Latest updateMay 6

Description

This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages4 packages

CVEListV5phpoffice/phpspreadsheet0.0.0unspecified
Packagistphpoffice/phpspreadsheet< 1.16.0
Packagistphpoffice/phpexcel1.8.2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Cross-site scripting in phpoffice/phpspreadsheet2021-05-06
GHSA
Cross-site scripting in phpoffice/phpspreadsheet2021-05-06
CVEList
Cross-site Scripting (XSS)2020-12-09
CVE-2020-7776 — Cross-site Scripting in Phpspreadsheet | cvebase