CVE-2020-7776: Cross-site scripting in phpoffice/phpspreadsheet
(updated )
This affects the package phpoffice/phpspreadsheet. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpspreadsheet/CVE-2020-7776.yaml
- github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792
- github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59abc957a98845
- github.com/PHPOffice/PhpSpreadsheet/pull/1719
- github.com/advisories/GHSA-4mqv-gcr3-pff9
- nvd.nist.gov/vuln/detail/CVE-2020-7776
- snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856
Code Behaviors & Features
Detect and mitigate CVE-2020-7776 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →