GHSA-4mqv-gcr3-pff9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4mqv-gcr3-pff9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-4mqv-gcr3-pff9/GHSA-4mqv-gcr3-pff9.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-4mqv-gcr3-pff9
- Aliases
- Published
- 2021-05-06T18:53:37Z
- Modified
- 2025-03-06T18:23:04.777638Z
- Severity
-
- 6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Cross-site scripting in phpoffice/phpspreadsheet
- Details
-
This affects the package phpoffice/phpspreadsheet. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML.
- Database specific
{ "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2021-04-09T21:12:55Z", "severity": "MODERATE", "nvd_published_at": "2020-12-09T17:15:00Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-7776
- https://github.com/PHPOffice/PhpSpreadsheet/pull/1719
- https://github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845
- https://github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpspreadsheet/CVE-2020-7776.yaml
- https://github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792
- https://snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856
Affected packages
Packagist / phpoffice/phpspreadsheet
Package
- Name
- phpoffice/phpspreadsheet
- Purl
- pkg:composer/phpoffice/phpspreadsheet
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.16.0
Packagist / phpoffice/phpexcel
Package
- Name
- phpoffice/phpexcel
- Purl
- pkg:composer/phpoffice/phpexcel