Phpoffice Phpspreadsheet vulnerabilities

22 known vulnerabilities affecting phpoffice/phpspreadsheet.

Total CVEs
22
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
HIGH12MEDIUM10

Vulnerabilities

Page 2 of 2
CVE-2019-12331HIGHCVSS 8.8fixed in 1.8.02019-11-07
CVE-2019-12331 [HIGH] CVE-2019-12331: PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from a PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ‚
ghsanvdosv
CVE-2018-19277HIGHCVSS 8.8PoC≤ 1.5.02018-11-14
CVE-2018-19277 [HIGH] CWE-91 CVE-2018-19277: securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms fo securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file
ghsanvdosv
← Previous2 / 2
Phpoffice Phpspreadsheet vulnerabilities | cvebase