CVE-2020-7776: Cross-site Scripting

December 9, 2020 (updated January 19, 2021)

This affects the package phpoffice/phpspreadsheet from The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML.

References

nvd.nist.gov/vuln/detail/CVE-2020-7776

Detect and mitigate CVE-2020-7776 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →