CVE-2024-56410

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-56410

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56410.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-56410

Aliases

GHSA-wv23-996v-q229

Published

2025-01-03T17:17:52.596Z

Modified

2025-12-05T07:36:03.694315Z

Severity

4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

PhpSpreadsheet has Cross-Site Scripting (XSS) vulnerability in custom properties

Details

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56410.json",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/phpoffice/phpspreadsheet

Affected ranges

Type

GIT

Repo

https://github.com/phpoffice/phpspreadsheet

Events

Introduced

Fixed

02c8625411dcb96e1f63d58c47460284e15b2e80

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.29.7"
        }
    ]
}

Type

GIT

Repo

https://github.com/phpoffice/phpspreadsheet

Events

Introduced

4a77798f835119754961a97714f135826a323caa

Fixed

04e8b6edc1bba1bbc8e1aef4111903d11e8323c1

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.1.6"
        }
    ]
}

Type

GIT

Repo

https://github.com/phpoffice/phpspreadsheet

Events

Introduced

b0993b7e4d9c860133365d115b176bc6e0f57022

Fixed

d836f2d7308a192441ccd1546545890b378af913

Database specific

{
    "versions": [
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.3.5"
        }
    ]
}

Affected versions

1.*

1.0.0

1.0.0-beta

1.0.0-beta2

1.1.0

1.10.0

1.10.1

1.11.0

1.12.0

1.13.0

1.14.0

1.14.1

1.15.0

1.16.0

1.17.0

1.17.1

1.18.0

1.19.0

1.2.0

1.2.1

1.20.0

1.21.0

1.22.0

1.23.0

1.24.0

1.24.1

1.25.0

1.25.1

1.25.2

1.27.0

1.28.0

1.29.0

1.29.1

1.29.2

1.29.4

1.29.5

1.29.6

1.3.0

1.3.1

1.4.0

1.4.1

1.5.0

1.5.1

1.5.2

1.6.0

1.7.0

1.8.0

1.8.1

1.8.2

1.9.0

2.*

2.0.0

2.1.0

2.1.1

2.1.3

2.1.4

2.1.5

2.2.0

2.2.1

2.2.2

2.3.0

2.3.2

2.3.3

2.3.4

Other

phpexcel-last-cherry-picked-commit

phpexcel-last-release-1.*

phpexcel-last-release-1.8.1