CVE-2014-2054: PHPExcel vulnerable to XXE attacks through libxml

May 17, 2022 (updated September 25, 2023)

PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

References

owncloud.org/about/security/advisories/oC-SA-2014-006/
github.com/PHPOffice/PHPExcel/blob/2b601574975acfb9d4378a788ed5f2b747958095/changelog.txt
github.com/PHPOffice/PHPExcel/commit/e04bf7ed091b0a72d028eacf26d770b485d4e897
github.com/advisories/GHSA-28rm-rj57-qjpv
nvd.nist.gov/vuln/detail/CVE-2014-2054

Detect and mitigate CVE-2014-2054 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →