Lucene search
Veracode Vulnerability DatabaseVERACODE:21930HistoryNov 08, 2019 - 3:24 a.m.
XML External Entity (XXE)
2019-11-0803:24:33
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
8
0.019 Low
EPSS
Percentile
88.5%
PHPOffice PhpSpreadsheet is vulnerable to XXE. The fix to prevent CVE-2018-19277 was not sufficient to protect against the previous vulnerability. An attacker is able to bypass the mitigation by double-encoding the the XML payload into utf-7 and bypass the check for the string ?<!ENTITY?.
| CPE | Name | Operator | Version |
|---|---|---|---|
| phpoffice/phpspreadsheet | le | 1.7.0 |
Related
osv
osv
CVE-2019-12331
2019-11-07 15:15:10
XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue
2019-11-20 01:39:57
CVE-2018-19277
2018-11-14 11:29:07
nvd
nvd
CVE-2019-12331
2019-11-07 15:15:10
CVE-2018-19277
2018-11-14 11:29:07
cve
cve
CVE-2019-12331
2019-11-07 15:15:10
CVE-2018-19277
2018-11-14 11:29:07
prion
prion
Xxe
2019-11-07 15:15:00
Design/Logic Flaw
2018-11-14 11:29:00
cvelist
cvelist
CVE-2019-12331
2019-11-07 14:03:43
CVE-2018-19277
2018-11-14 11:00:00
github
github
XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue
2019-11-20 01:39:57
XXE in PHPSpreadsheet due to encoding issue
2019-11-20 01:38:52
friendsofphp
friendsofphp
XXE Vulnerability
2019-07-01 12:55:00
XXE Vulnerability
2018-11-20 19:50:00
XXE Vulnerability
2018-11-22 23:07:00
veracode
veracode
XML External Entity Injection (XXE)
2018-11-15 08:20:07
checkpoint_advisories
checkpoint_advisories
PhpSpreadsheet XML External Entity Injection (CVE-2018-19277)
2019-01-03 00:00:00
zdt
zdt
PhpSpreadsheet < 1.5.0 - XML External Entity (XXE) Vulnerability
2018-12-24 00:00:00
myhack58
myhack58
exploitpack
exploitpack
PhpSpreadsheet 1.5.0 - XML External Entity (XXE)
2018-11-30 00:00:00
exploitdb
exploitdb
PhpSpreadsheet < 1.5.0 - XML External Entity (XXE)
2018-11-30 00:00:00