CVE-2024-56365
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-56365
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56365.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-56365
- Aliases
- Published
- 2025-01-03T16:56:35Z
- Modified
- 2025-10-20T20:29:59.068956Z
- Severity
-
- 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L CVSS Calculator
- Summary
- PhpSpreadsheet vulnerable to unauthorized reflected XSS in the constructor of the Downloader class
- Details
-
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the
Downloaderclass. Using the/vendor/phpoffice/phpspreadsheet/samples/download.phpscript, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. - Database specific
{ "cwe_ids": [ "CWE-79" ] }- References
Affected packages
Git / github.com/phpoffice/phpspreadsheet
Affected ranges
- Type
- GIT
- Repo
- https://github.com/phpoffice/phpspreadsheet
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/phpoffice/phpspreadsheet
- Events
- Type
- GIT
- Repo
- https://github.com/phpoffice/phpspreadsheet
- Events
Affected versions
1.*
1.0.0
1.0.0-beta
1.0.0-beta2
1.1.0
1.10.0
1.10.1
1.11.0
1.12.0
1.13.0
1.14.0
1.14.1
1.15.0
1.16.0
1.17.0
1.17.1
1.18.0
1.19.0
1.2.0
1.2.1
1.20.0
1.21.0
1.22.0
1.23.0
1.24.0
1.24.1
1.25.0
1.25.1
1.25.2
1.27.0
1.28.0
1.29.0
1.29.1
1.29.2
1.29.4
1.29.5
1.29.6
1.3.0
1.3.1
1.4.0
1.4.1
1.5.0
1.5.1
1.5.2
1.6.0
1.7.0
1.8.0
1.8.1
1.8.2
1.9.0
2.*
2.0.0
2.1.0
2.1.1
2.1.3
2.1.4
2.1.5
2.2.0
2.2.1
2.2.2
2.3.0
2.3.2
2.3.3
2.3.4
Other
phpexcel-last-cherry-picked-commit
phpexcel-last-release-1.*
phpexcel-last-release-1.8.1