CVE-2020-7776

Опубликовано: 09 дек. 2020

Источник: nvd

CVSS3: 7.1

CVSS3: 6.4

CVSS2: 3.5

EPSS Низкий

Описание

This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch.

Ссылки

https://github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792
Broken Link
https://github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856
Exploit
Third Party Advisory
https://github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792
Broken Link
https://github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845
Patch
Third Party Advisory
https://snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*

Версия до 1.16.0 (исключая)

EPSS

Процентиль: 56%

0.00335

Низкий

7.1 High

CVSS3

6.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-4mqv-gcr3-pff9

CVSS3: 6.4

github

почти 5 лет назад

Cross-site scripting in phpoffice/phpspreadsheet

EPSS

Процентиль: 56%

0.00335

Низкий

7.1 High

CVSS3

6.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79