CVE-2025-23210 — Cross-site Scripting in Phpspreadsheet

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

4.8MEDIUMNVD

EPSS

0.1%

top 70.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Phpoffice Phpspreadsheet Phpoffice Phpexcel

Timeline

PublishedFeb 3

Description

phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages3 packages

▶CVEListV5phpoffice/phpspreadsheet< 1.29.9+3

▶Packagistphpoffice/phpspreadsheet3.0.0 — 3.9.0+3

▶Packagistphpoffice/phpexcel1.8.2

🔴Vulnerability Details

CVEList

Bypass XSS sanitizer using the javascript protocol and special characters in phpoffice/phpspreadsheet↗2025-02-03

▶

OSV

PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters↗2025-02-03

▶

GHSA

PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters↗2025-02-03

▶