CVE-2024-56410

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-56410

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56410.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-56410

Aliases

GHSA-wv23-996v-q229

Related

GHSA-wv23-996v-q229

Published

2025-01-03T18:15:15Z

Modified

2025-01-15T05:17:10.997775Z

Summary

[none]

Details

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.

References

Affected packages

Git / github.com/phpoffice/phpspreadsheet

Affected ranges

Type: GIT
Repo: https://github.com/phpoffice/phpspreadsheet
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

45052f88e04c735d56457a8ffcdc40b2635a028e

Affected versions

1.*

1.0.0

1.0.0-beta

1.0.0-beta2

1.1.0

1.10.0

1.10.1

1.11.0

1.12.0

1.13.0

1.14.0

1.14.1

1.15.0

1.16.0

1.17.0

1.17.1

1.18.0

1.19.0

1.2.0

1.2.1

1.20.0

1.21.0

1.22.0

1.23.0

1.24.0

1.24.1

1.25.0

1.25.1

1.25.2

1.27.0

1.28.0

1.29.0

1.3.0

1.3.1

1.4.0

1.4.1

1.5.0

1.5.1

1.5.2

1.6.0

1.7.0

1.8.0

1.8.1

1.8.2

1.9.0

2.*

2.0.0

2.1.0

2.2.0

2.2.1

2.2.2

3.*

3.3.0

3.4.0

3.5.0

3.6.0

Other

phpexcel-last-cherry-picked-commit

phpexcel-last-release-1.*

phpexcel-last-release-1.8.1