Описание
Cross-site Scripting vulnerability in SimpleXLSXEx::readXfs and SimpeXLSX::toHTMLEx
Impact
When calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code.
Patches
The supplied patch resolves this vulnerability for SimpleXLSX. Use 1.1.12
Workarounds
Don't use direct publication via toHTMLEx
This vulnerability was discovered by Aleksey Solovev (Positive Technologies)
Пакеты
Наименование
shuchkin/simplexlsx
composer
Затронутые версииВерсия исправления
>= 1.0.12, < 1.1.12
1.1.12
Связанные уязвимости
CVSS3: 6.8
nvd
около 1 года назад
SimpleXLSX is software for parsing and retrieving data from Excel XLSx files. Starting in version 1.0.12 and prior to version 1.1.12, when calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. Version 1.1.12 fixes the issue. As a workaround, don't use direct publication via toHTMLEx.