CVE-2024-56366
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-56366
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56366.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-56366
- Aliases
- Published
- 2025-01-03T17:01:09Z
- Modified
- 2025-11-13T02:50:55.397906Z
- Severity
-
- 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L CVSS Calculator
- Summary
- PhpSpreadsheet vulnerable to unauthorized reflected XSS in the Accounting.php file
- Details
-
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the
Accounting.phpfile. Using the/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.phpscript, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. - Database specific
{ "cwe_ids": [ "CWE-79" ] }- References
Affected packages
Git / github.com/phpoffice/phpspreadsheet
Affected ranges
- Type
- GIT
- Repo
- https://github.com/phpoffice/phpspreadsheet
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.0.0
1.0.0-beta
1.0.0-beta2
1.1.0
1.10.0
1.10.1
1.11.0
1.12.0
1.13.0
1.14.0
1.14.1
1.15.0
1.16.0
1.17.0
1.17.1
1.18.0
1.19.0
1.2.0
1.2.1
1.20.0
1.21.0
1.22.0
1.23.0
1.24.0
1.24.1
1.25.0
1.25.1
1.25.2
1.27.0
1.28.0
1.29.0
1.3.0
1.3.1
1.4.0
1.4.1
1.5.0
1.5.1
1.5.2
1.6.0
1.7.0
1.8.0
1.8.1
1.8.2
1.9.0
2.*
2.0.0
2.1.0
2.2.0
2.2.1
2.2.2
3.*
3.3.0
3.4.0
3.5.0
3.6.0
Other
phpexcel-last-cherry-picked-commit
phpexcel-last-release-1.*
phpexcel-last-release-1.8.1