Cross Site Scripting

phpoffice/phpspreadsheet is vulnerable to Cross Site ScriptingXSS. The vulnerability is due to insufficient sanitization of spreadsheet styling information by \PhpOffice\PhpSpreadsheet\Writer\Html, which fails to remove or neutralize potentially harmful content before rendering it in HTML. It...

Local File Bypass

phpoffice/phpspreadsheet is vulnerable to Local File Bypass. The vulnerability is due to improper validation and handling of XML input within XmlScanner.php, which allows attackers to exploit XXE to access local file contents...

XML External Entity (XXE) Injection

Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection by bypassing the filter which allows attacker to obtain contents of local files, even if error reporting muted by @ symbol. Remediation There is no fixed version for phpoffice/phpexcel. References -...

PHPOffice Common Improper Restriction of XML External Entity Reference

XMLReader.php in PHPOffice Common before 0.2.9 allows XXE...

GHSA-2853-HF2G-9843 PHPOffice Common Improper Restriction of XML External Entity Reference

XMLReader.php in PHPOffice Common before 0.2.9 allows XXE...

Loft Data Grids - Moderately critical - XML External Entity (XXE) Processing - SA-CONTRIB-2021-043

This module enables aklump/loftdatagrids to be used as a Drupal module. Excel support was provided by https://packagist.org/packages/phpoffice/phpexcel, which is abandoned and there are known security vulnerabilities: CVE-2018-19277: PHPOffice/PhpSpreadsheet771. Excel support has since been...

GHSA-4MQV-GCR3-PFF9 Cross-site scripting in phpoffice/phpspreadsheet

This affects the package phpoffice/phpspreadsheet. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as...

Cross-site scripting in phpoffice/phpspreadsheet

This affects the package phpoffice/phpspreadsheet. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as...

Cross-site Scripting (XSS)

phpoffice/phpspreadsheet is vulnerable to cross-site scripting XSS. The vulnerability exists when creating a HTML output using an excel cell, through a comment on any cell, as the comments gets concatenated as part of the link...

CVE-2020-7776

This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is...

CVE-2020-7776

This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is...

Design/Logic Flaw

This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is...

CVE-2020-7776

CVE-2020-7776 affects phpoffice/phpspreadsheet (0.0.0 and earlier): the HTML writer concatenates user comments into links when exporting to HTML from an Excel file, enabling XSS in HTML output. Root cause: HTML writer handling of cell comments. A fix is available in commit 0ed5b800be2136bcb8fa9c1...

CVE-2020-7776 Cross-site Scripting (XSS)

This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is...

PT-2020-19785 · Phpoffice · Phpspreadsheet

Name of the Vulnerable Software and Affected Versions: phpoffice/phpspreadsheet versions 0.0.0 and earlier Description: The library is vulnerable to XSS when creating an HTML output from an Excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where us...

GHSA-VVWV-H69M-WG6F XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue

PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml...

GHSA-XCRG-29H7-H4CJ XXE in PHPSpreadsheet due to encoding issue

securityScan in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file...

XXE in PHPSpreadsheet due to encoding issue

securityScan in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file...

XML External Entity (XXE)

PHPOffice PhpSpreadsheet is vulnerable to XXE. The fix to prevent CVE-2018-19277 was not sufficient to protect against the previous vulnerability. An attacker is able to bypass the mitigation by double-encoding the the XML payload into utf-7 and bypass the check for the string ?!ENTITY?...

CVE-2019-12331

PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml...