EUVD-2022-1943

Malicious code in bioql PyPI...

Absolute Path Traversal

Overview Affected versions of this package are vulnerable to Absolute Path Traversal via the setPath method. An attacker can access or leak sensitive information by constructing a malicious XLSX file that manipulates the path to external or internal resources, exploiting the file reading mechanis...

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection by bypassing the filter which allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. Remediation There is no fixed version for phpoffice/phpexcel. References -...

CVE-2014-2054

PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity XXE attack...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS. PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of...