phpoffice/phpspreadsheet Security Advisories for 3.6.0 (7)
-
[MEDIUM] PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters
PKSA-7jd6-nb49-bz4v CVE-2024-56412 GHSA-q9jv-mm3r-j47r
Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0
Reported by:
GitHub -
[MEDIUM] PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header
PKSA-nm34-xhtz-ww9p CVE-2024-56411 GHSA-hwcp-2h35-p66w
Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0
Reported by:
GitHub -
[MEDIUM] PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties
PKSA-4ckb-wpj6-c29d CVE-2024-56410 GHSA-wv23-996v-q229
Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0
Reported by:
GitHub -
[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file
PKSA-ybqb-vyrq-8pdt CVE-2024-56409 GHSA-j2xg-cjcx-4677
Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0
Reported by:
GitHub -
[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file
PKSA-285y-y5bt-kvd9 CVE-2024-56366 GHSA-c6fv-7vh8-2rhr
Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0
Reported by:
GitHub -
[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class
PKSA-jw5c-q9nd-tzj9 CVE-2024-56365 GHSA-jmpx-686v-c3wx
Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0
Reported by:
GitHub -
[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file
PKSA-bcnb-9tc9-bjb8 CVE-2024-56408 GHSA-x88g-h956-m5xg
Affected version: >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0
Reported by:
GitHub