GHSA-r87q-fj25-f8jf

Source

https://github.com/advisories/GHSA-r87q-fj25-f8jf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-r87q-fj25-f8jf/GHSA-r87q-fj25-f8jf.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-r87q-fj25-f8jf

Aliases

CVE-2024-56364

Published

2024-12-23T18:18:54Z

Modified

2024-12-23T21:02:22.635504Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Cross-site Scripting vulnerability in SimpleXLSXEx::readThemeColors, SimpleXLSXEx::getColorValue and SimpleXLSX::toHTMLEx

Details

Impact

When calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code.

Patches

The supplied patch resolves this vulnerability for SimpleXLSX. Use 1.1.13

Workarounds

Don't use data publication via toHTMLEx

This vulnerability was discovered by Aleksey Solovev (Positive Technologies)

Database specific

{
    "nvd_published_at": "2024-12-23T16:15:07Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-23T18:18:54Z"
}

References

Affected packages

Packagist / shuchkin/simplexlsx

Package

Name: shuchkin/simplexlsx
Purl: pkg:composer/shuchkin/simplexlsx

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.12

Fixed

1.1.13

Affected versions

1.*

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.0.20

1.0.21

1.1.10

1.1.11

1.1.12