Описание
PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. \PhpOffice\PhpSpreadsheet\Writer\Html does not sanitize "javascript:" URLs from hyperlink href attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Ссылки
- ExploitVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.29.2 (исключая)Версия от 2.0.0 (включая) до 2.1.1 (исключая)Версия от 2.2.0 (включая) до 2.3.0 (исключая)
Одно из
cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*
cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*
cpe:2.3:a:phpoffice:phpspreadsheet:*:*:*:*:*:*:*:*
EPSS
Процентиль: 77%
0.01018
Низкий
5.4 Medium
CVSS3
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 5.4
github
больше 1 года назад
PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks
EPSS
Процентиль: 77%
0.01018
Низкий
5.4 Medium
CVSS3
Дефекты
CWE-79