Vulnerability Details CVE-2020-7776
This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 55.7%
CVSS Severity
CVSS v3 Score 7.1
CVSS v2 Score 3.5
References
- https://github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792
- https://github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845
- https://snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856
- https://github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792
- https://github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845
- https://snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856
Products affected by CVE-2020-7776
-
cpe:2.3:a:phpoffice:phpspreadsheet:-
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.0.0
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.1.0
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.10.0
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.10.1
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.11.0
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.12.0
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.13.0
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.14.0
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.14.1
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.15.0
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.2.0
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.2.1
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.3.0
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.3.1
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.4.0
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.4.1
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.5.0
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.5.1
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.5.2
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.6.0
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.7.0
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.8.0
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.8.1
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.8.2
-
cpe:2.3:a:phpoffice:phpspreadsheet:1.9.0