Moderate severityNVD Advisory· Published Dec 9, 2020· Updated Sep 16, 2024
Cross-site Scripting (XSS)
CVE-2020-7776
Description
This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpoffice/phpspreadsheetPackagist | < 1.16.0 | 1.16.0 |
phpoffice/phpexcelPackagist | <= 1.8.2 | — |
Affected products
3- phpoffice/phpspreadsheetdescription
- ghsa-coords2 versions
<= 1.8.2+ 1 more
- (no CPE)range: <= 1.8.2
- (no CPE)range: < 1.16.0
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-4mqv-gcr3-pff9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7776ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpspreadsheet/CVE-2020-7776.yamlghsaWEB
- github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792ghsax_refsource_MISCWEB
- github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845ghsax_refsource_MISCWEB
- github.com/PHPOffice/PhpSpreadsheet/pull/1719ghsaWEB
- snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.