Lucene search
GoogleOSV:CVE-2019-12331HistoryNov 07, 2019 - 3:15 p.m.
CVE-2019-12331
2019-11-0715:15:10
Google
osv.dev
5
PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string β<!ENTITYβ and thus allowing for an xml external entity processing (XXE) attack.
Related
cve
cve
CVE-2019-12331
2019-11-07 15:15:10
CVE-2018-19277
2018-11-14 11:29:07
veracode
veracode
XML External Entity (XXE)
2019-11-08 03:24:33
XML External Entity Injection (XXE)
2018-11-15 08:20:07
prion
prion
Xxe
2019-11-07 15:15:00
Design/Logic Flaw
2018-11-14 11:29:00
cvelist
cvelist
CVE-2019-12331
2019-11-07 14:03:43
CVE-2018-19277
2018-11-14 11:00:00
github
github
XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue
2019-11-20 01:39:57
XXE in PHPSpreadsheet due to encoding issue
2019-11-20 01:38:52
osv
osv
XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue
2019-11-20 01:39:57
CVE-2018-19277
2018-11-14 11:29:07
XXE in PHPSpreadsheet due to encoding issue
2019-11-20 01:38:52
nvd
nvd
CVE-2019-12331
2019-11-07 15:15:10
CVE-2018-19277
2018-11-14 11:29:07
friendsofphp
friendsofphp
XXE Vulnerability
2019-07-01 12:55:00
XXE Vulnerability
2018-11-22 23:07:00
XXE Vulnerability
2018-11-20 19:50:00
checkpoint_advisories
checkpoint_advisories
PhpSpreadsheet XML External Entity Injection (CVE-2018-19277)
2019-01-03 00:00:00
zdt
zdt
PhpSpreadsheet < 1.5.0 - XML External Entity (XXE) Vulnerability
2018-12-24 00:00:00
exploitpack
exploitpack
PhpSpreadsheet 1.5.0 - XML External Entity (XXE)
2018-11-30 00:00:00
myhack58
myhack58
exploitdb
exploitdb
PhpSpreadsheet < 1.5.0 - XML External Entity (XXE)
2018-11-30 00:00:00