Lucene search
GoogleOSV:GHSA-4MQV-GCR3-PFF9HistoryMay 06, 2021 - 6:53 p.m.
Cross-site scripting in phpoffice/phpspreadsheet
2021-05-0618:53:37
Google
osv.dev
11
phpoffice
phpspreadsheet
xss
html
vulnerability
excel file
EPSS
0.001
Percentile
26.4%
This affects the package phpoffice/phpspreadsheet. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML.
References
github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpspreadsheet/CVE-2020-7776.yaml
github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792
github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845
github.com/PHPOffice/PhpSpreadsheet/pull/1719
nvd.nist.gov/vuln/detail/CVE-2020-7776
snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856
Related
veracode
veracode
Cross-site Scripting (XSS)
2020-12-10 03:16:23
nvd
nvd
CVE-2020-7776
2020-12-09 17:15:31
friendsofphp
friendsofphp
XSS Vulnerability in HTML Writer
2020-12-31 19:20:00
cvelist
cvelist
CVE-2020-7776 Cross-site Scripting (XSS)
2020-12-09 16:45:18
cve
cve
CVE-2020-7776
2020-12-09 17:15:31
osv
osv
CVE-2020-7776
2020-12-09 17:15:31
github
github
Cross-site scripting in phpoffice/phpspreadsheet
2021-05-06 18:53:37
prion
prion
Design/Logic Flaw
2020-12-09 17:15:00