Packagist (Composer) package
phpoffice/phpspreadsheet
pkg:composer/phpoffice/phpspreadsheet
Vulnerabilities (27)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-45292 | — | >= 2.2.0, < 2.3.0 | 2.3.0 | Oct 7, 2024 | PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\PhpOffice\PhpSpreadsheet\Writer\Html` does not sanitize "javascript:" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in relea | ||
| CVE-2024-45293 | — | >= 2.2.0, < 2.3.0 | 2.3.0 | Oct 7, 2024 | PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload th | ||
| CVE-2024-45046 | — | >= 2.0.0, < 2.1.0 | 2.1.0 | Aug 28, 2024 | PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a | ||
| CVE-2024-45048 | — | < 1.29.1 | 1.29.1 | Aug 28, 2024 | PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even if error reporting is muted. This vulnerab | ||
| CVE-2020-7776 | — | < 1.16.0 | 1.16.0 | Dec 9, 2020 | This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of l | ||
| CVE-2019-12331 | — | < 1.8.0 | 1.8.0 | Nov 7, 2019 | PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding | ||
| CVE-2018-19277 | — | < 1.5.1 | 1.5.1 | Nov 14, 2018 | securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file |
- CVE-2024-45292Oct 7, 2024affected >= 2.2.0, < 2.3.0fixed 2.3.0
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\PhpOffice\PhpSpreadsheet\Writer\Html` does not sanitize "javascript:" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in relea
- CVE-2024-45293Oct 7, 2024affected >= 2.2.0, < 2.3.0fixed 2.3.0
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload th
- CVE-2024-45046Aug 28, 2024affected >= 2.0.0, < 2.1.0fixed 2.1.0
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions `\PhpOffice\PhpSpreadsheet\Writer\Html` doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a
- CVE-2024-45048Aug 28, 2024affected < 1.29.1fixed 1.29.1
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even if error reporting is muted. This vulnerab
- CVE-2020-7776Dec 9, 2020affected < 1.16.0fixed 1.16.0
This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of l
- CVE-2019-12331Nov 7, 2019affected < 1.8.0fixed 1.8.0
PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding
- CVE-2018-19277Nov 14, 2018affected < 1.5.1fixed 1.5.1
securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file
Page 2 of 2