Phpspreadsheet Security Vulnerabilities and Issues — Phpspreadsheet CVE List

Lucene search

PhpofficePhpspreadsheet

8 matches found

CVE•added 2018/11/14 11:29 a.m.•1076 views

CVE-2018-19277

securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file

8.8CVSS8.5AI score0.01872EPSS

CVE•added 2024/08/28 9:15 p.m.•65 views

CVE-2024-45048

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions are subject to a bypassing of a filter which allows for an XXE-attack. This in turn allows attacker to obtain contents of local files, even if error reporting is muted. This vulnerability has been addr...

8.8CVSS7.2AI score0.00051EPSS

CVE•added 2019/11/07 3:15 p.m.•59 views

CVE-2019-12331

PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payloa...

8.8CVSS8.4AI score0.01872EPSS

CVE•added 2025/01/03 5:15 p.m.•49 views

CVE-2024-56366

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the Accounting.php file. Using the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.p...

8.3CVSS6AI score0.00055EPSS

CVE•added 2025/01/03 4:15 p.m.•48 views

CVE-2024-56408

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file, which leads to the possibility of a cross-site scripting attack. Ver...

8.3CVSS6.1AI score0.00069EPSS

CVE•added 2025/01/03 5:15 p.m.•47 views

CVE-2024-56365

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the Downloader class. Using the /vendor/phpoffice/phpspreadsheet/samples/download.php scri...

8.3CVSS6AI score0.00055EPSS

CVE•added 2025/01/03 5:15 p.m.•44 views

CVE-2024-56409

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the Currency.php file. Using the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php s...

8.3CVSS6AI score0.00055EPSS

CVE•added 2024/10/07 9:15 p.m.•38 views

CVE-2024-45291

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. It's possible for an attacker to construct an XLSX file that links images from arbitrary paths. When embedding images has been enabled in HTML writer with $writer->setEmbedImages(true); those files will be included i...

8.8CVSS7.1AI score0.00335EPSS