- Description
- PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\PhpOffice\PhpSpreadsheet\Writer\Html` does not sanitize "javascript:" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 5.4
- Impact score
- 2.7
- Exploitability score
- 2.3
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
- security-advisories@github.com
- CWE-79
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9FB20F02-0DCA-4875-B1AF-E6969820AD9A",
"versionEndExcluding": "1.29.2"
},
{
"criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "79F5B018-FDB7-40DC-9B67-7312ED70808F",
"versionEndExcluding": "2.1.1",
"versionStartIncluding": "2.0.0"
},
{
"criteria": "cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4B62CAAE-2E1E-42A2-9152-2DB7E3DA36A8",
"versionEndExcluding": "2.3.0",
"versionStartIncluding": "2.2.0"
}
],
"operator": "OR"
}
]
}
]