CVE-2020-7776

moderate-risk
Published 2020-12-09

This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch.

Do I need to act?

-
0.34% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.1/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Phpoffice

References (6)

Broken Link https://github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Write...
Patch https://github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59a...
Exploit https://snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856
Broken Link https://github.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Write...
Patch https://github.com/PHPOffice/PhpSpreadsheet/commit/0ed5b800be2136bcb8fa9c1bdf59a...
Exploit https://snyk.io/vuln/SNYK-PHP-PHPOFFICEPHPSPREADSHEET-1048856
31
/ 100
moderate-risk
Severity 25/34 · High
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal