GHSA-2j2j-8rrv-264g

Suggest an improvement
Source
https://github.com/advisories/GHSA-2j2j-8rrv-264g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/09/GHSA-2j2j-8rrv-264g/GHSA-2j2j-8rrv-264g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2j2j-8rrv-264g
Aliases
  • CVE-2018-16459
Published
2018-09-11T18:58:40Z
Modified
2023-11-08T03:59:59.393470Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Cross-Site Scripting in exceljs
Details

Versions of exceljs before 1.6.0 are vulnerable to cross-site scripting.

This vulnerability is due to exceljs not validating data from parsed XLSX file and embedding HTML tags, like <script> directly into the sheet cells. Because of this it's possible to inject malicious JavaScript code and execute it when data from the sheet is displayed in the browser.

Recommendation

Update to version 1.6.0 or later.

Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:52:14Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
}
References

Affected packages

npm / exceljs

Package

Name
exceljs
View open source insights on deps.dev
Purl
pkg:npm/exceljs

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/09/GHSA-2j2j-8rrv-264g/GHSA-2j2j-8rrv-264g.json"