CVE-2020-7776 – phpoffice/phpspreadsheet

Package

Manager: composer
Name: phpoffice/phpspreadsheet
Vulnerable Version: >=0 <1.16.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00335 pctl0.55756

Details

Cross-site scripting in phpoffice/phpspreadsheet This affects the package phpoffice/phpspreadsheet. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML.

Metadata

Created: 2021-05-06T18:53:37Z
Modified: 2025-03-06T18:08:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-4mqv-gcr3-pff9/GHSA-4mqv-gcr3-pff9.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-4mqv-gcr3-pff9
Finding: F008
Auto approve: 1