GHSA-x6mh-rjwm-8ph7

Source

https://github.com/advisories/GHSA-x6mh-rjwm-8ph7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-x6mh-rjwm-8ph7/GHSA-x6mh-rjwm-8ph7.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-x6mh-rjwm-8ph7

Aliases

CVE-2024-55878

Published

2024-12-12T19:22:53Z

Modified

2024-12-12T22:49:32.711358Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Cross-site Scripting vulnerability in SimpleXLSXEx::readXfs and SimpeXLSX::toHTMLEx

Details

Impact

When calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code.

Patches

The supplied patch resolves this vulnerability for SimpleXLSX. Use 1.1.12

Workarounds

Don't use direct publication via toHTMLEx

This vulnerability was discovered by Aleksey Solovev (Positive Technologies)

Database specific

{
    "nvd_published_at": "2024-12-12T20:15:21Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-12T19:22:53Z"
}

References

Affected packages

Packagist / shuchkin/simplexlsx

Package

Name: shuchkin/simplexlsx
Purl: pkg:composer/shuchkin/simplexlsx

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.12

Fixed

1.1.12

Affected versions

1.*

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.0.20

1.0.21

1.1.10

1.1.11