CVE-2024-55878

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-55878

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-55878.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-55878

Aliases

GHSA-x6mh-rjwm-8ph7

Published

2024-12-12T19:20:02.061Z

Modified

2025-12-01T19:51:04.946473Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Cross-site Scripting vulnerability in SimpleXLSXEx::readXfs and SimpeXLSX::toHTMLEx

Details

SimpleXLSX is software for parsing and retrieving data from Excel XLSx files. Starting in version 1.0.12 and prior to version 1.1.12, when calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. Version 1.1.12 fixes the issue. As a workaround, don't use direct publication via toHTMLEx.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/55xxx/CVE-2024-55878.json"
}

References

Affected packages

Git / github.com/shuchkin/simplexlsx

Affected ranges

Type: GIT
Repo: https://github.com/shuchkin/simplexlsx
Events: Introduced

c08861cfe905467a9c711c801851c9c80a164c11

Fixed

0044a4c917037f7613bcd81c7766339a35b9832a

Affected versions

1.*

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.0.20

1.0.21

1.1.10

1.1.11

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-55878.json"