CVE-2018-16459

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the npm package exceljs before version 1.6.0. The library fails to escape user-supplied cell values when rendering an Excel worksheet in a browser environment (e.g., using the HTML output feature). An attacker who can control a cell's content can inject arbitrary HTML or JavaScript that will be executed in the context of the viewer's browser session. Affected versions are all prior to 1.6.0 [1] [2] [3].

Exploitation

An attacker must be able to write a malicious payload into a cell value of an Excel workbook that is subsequently viewed via exceljs's HTML rendering. No special network position or authentication is required beyond the ability to supply the crafted workbook. When the victim opens the workbook in a browser using the library's display functionality, the unescaped payload executes as part of the rendered page [1] [2].

Impact

Successful exploitation leads to cross-site scripting (XSS). The attacker can execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, data theft, or actions performed on behalf of the victim. The impact is moderate and limited by the same-origin policy, though the attacker gains no direct server-side access [3].

Mitigation

Upgrade exceljs to version 1.6.0 or later, which includes proper escaping of cell values for HTML contexts [3]. No other workarounds are documented in the available references. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.