CVE-2024-56411 — Cross-site Scripting in Phpspreadsheet

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

4.8MEDIUMNVD

EPSS

0.7%

top 28.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

2

Phpoffice Phpspreadsheet Phpoffice Phpexcel

Timeline

PublishedJan 3

Description

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink base. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages4 packages

▶CVEListV5phpoffice/phpspreadsheet< 1.29.7+3

▶NVDphpoffice/phpspreadsheet2.0.0 — 2.1.6+3

▶Packagistphpoffice/phpspreadsheet3.0.0 — 3.7.0+3

▶Packagistphpoffice/phpexcel1.8.2

Patches

Patch: github.com ↗

🔴Vulnerability Details

3

GHSA

PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header↗2025-01-03

▶

OSV

PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header↗2025-01-03

▶

CVEList

PhpSpreadsheet has Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header↗2025-01-03

▶

CVE-2024-56411 — Cross-site Scripting in Phpspreadsheet | cvebase