CVE-2024-56410Cross-site Scripting in Phpspreadsheet

CWE-79Cross-site Scripting4 documents4 sources
Severity
4.8MEDIUMNVD
EPSS
0.7%
top 28.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Phpoffice PhpspreadsheetPhpoffice Phpexcel
Timeline
PublishedJan 3

Description

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages4 packages

CVEListV5phpoffice/phpspreadsheet< 1.29.7+3
NVDphpoffice/phpspreadsheet2.0.02.1.6+3
Packagistphpoffice/phpspreadsheet3.0.03.7.0+3
Packagistphpoffice/phpexcel1.8.2

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties2025-01-03
CVEList
PhpSpreadsheet has Cross-Site Scripting (XSS) vulnerability in custom properties2025-01-03
GHSA
PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties2025-01-03
CVE-2024-56410 — Cross-site Scripting in Phpspreadsheet | cvebase