72 matches found
CVE-2019-12331
PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml...
CVE-2019-12331
PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml...
CVE-2019-12331
PHPOffice PhpSpreadsheet before 1.8.0 contains an XXE flaw in the XML handling of sheet1.xml. The XmlScanner decodes sheet1.xml to UTF-8 when a non-UTF-8 encoding is declared, and an attacker can double-encode payloads in UTF-7 to bypass the string check for , enabling XML External Entity (XXE) p...
XML External Entity
Overview Affected versions of this package are vulnerable to XML External Entity. The XmlScanner decodes the sheet1.xml from an .xlsx to UTF-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By...
PhpSpreadsheet 1.5.0 XXE vulnerability reproduction and analysis-vulnerability warning-the black bar safety net
0x01 introduction PhpSpreadsheet is a very popular pure PHP class library that allows you to easily read and write Excel, LibreOffic Calc and other spreadsheet file formats, is PHPExcel alternative. 2018 11 October 13, PhpSpreadsheet was broke presence of the XXE vulnerability, CVE-2018-19277, in...
CVE-2018-19277
securityScan in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file...
CVE-2018-19277
CVE-2018-19277 affects PhpSpreadsheet (PHPOffice) up to version 1.5.0. The flaw: the library’s XML handling in Xlsx files can bypass protection via UTF-7 encoding, enabling an XML External Entity (XXE) attack. Root cause per sources: XmlScanner/Xml parsing when declared encoding differs from UTF-...
XML External Entity (XXE)
phpoffice/common is vulnerable to XML external entity XXE attacks. The vulnerability exists due to the insecure defaults where external entities were allowed, making XXE attacks possible...
CVE-2018-14065
XMLReader.php in PHPOffice Common before 0.2.9 allows XXE...
CVE-2018-14065
XMLReader.php in PHPOffice Common before 0.2.9 allows XXE...
CVE-2018-14065
XMLReader.php in PHPOffice Common before 0.2.9 allows XXE...
CVE-2018-14065
PHPOffice Common contains a XXE vulnerability in XMLReader.php, affecting versions before 0.2.9. Root cause: improper handling of XML external entities. Impact is described as XXE exposure in related advisories. Remediation: upgrade to PHPOffice Common 0.2.9 (see releases tag 0.2.9) to fix the is...