CVE-2024-56366

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-56366

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56366.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-56366

Aliases

GHSA-c6fv-7vh8-2rhr

Published

2025-01-03T17:01:09.701Z

Modified

2025-12-01T19:53:50.483129Z

Severity

8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L CVSS Calculator

Summary

PhpSpreadsheet vulnerable to unauthorized reflected XSS in the Accounting.php file

Details

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the Accounting.php file. Using the /vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56366.json",
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/phpoffice/phpspreadsheet

Affected ranges

Type

GIT

Repo

https://github.com/phpoffice/phpspreadsheet

Events

Introduced

Fixed

02c8625411dcb96e1f63d58c47460284e15b2e80

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.29.7"
        }
    ]
}

Type

GIT

Repo

https://github.com/phpoffice/phpspreadsheet

Events

Introduced

4a77798f835119754961a97714f135826a323caa

Fixed

04e8b6edc1bba1bbc8e1aef4111903d11e8323c1

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.1.6"
        }
    ]
}

Type

GIT

Repo

https://github.com/phpoffice/phpspreadsheet

Events

Introduced

b0993b7e4d9c860133365d115b176bc6e0f57022

Fixed

d836f2d7308a192441ccd1546545890b378af913

Database specific

{
    "versions": [
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.3.5"
        }
    ]
}

Affected versions

1.*

1.0.0

1.0.0-beta

1.0.0-beta2

1.1.0

1.10.0

1.10.1

1.11.0

1.12.0

1.13.0

1.14.0

1.14.1

1.15.0

1.16.0

1.17.0

1.17.1

1.18.0

1.19.0

1.2.0

1.2.1

1.20.0

1.21.0

1.22.0

1.23.0

1.24.0

1.24.1

1.25.0

1.25.1

1.25.2

1.27.0

1.28.0

1.29.0

1.29.1

1.29.2

1.29.4

1.29.5

1.29.6

1.3.0

1.3.1

1.4.0

1.4.1

1.5.0

1.5.1

1.5.2

1.6.0

1.7.0

1.8.0

1.8.1

1.8.2

1.9.0

2.*

2.0.0

2.1.0

2.1.1

2.1.3

2.1.4

2.1.5

2.2.0

2.2.1

2.2.2

2.3.0

2.3.2

2.3.3

2.3.4

Other

phpexcel-last-cherry-picked-commit

phpexcel-last-release-1.*

phpexcel-last-release-1.8.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56366.json"