Security Advisories - phpoffice/phpexcel

phpoffice/phpexcel Security Advisories for 1.8.0rc4 (21)

[MEDIUM] PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters

PKSA-2vt6-y6jz-crs9 CVE-2025-23210 GHSA-r57h-547h-w24f

Affected version: <=1.8.2

Reported by:
GitHub
[MEDIUM] Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet

PKSA-n1xd-9q81-6m2k CVE-2025-22131 GHSA-79xx-vf93-p7cx

Affected version: <=1.8.2

Reported by:
GitHub
[MEDIUM] PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters

PKSA-5bk7-32wt-w1f6 CVE-2024-56412 GHSA-q9jv-mm3r-j47r

Affected version: <=1.8.2

Reported by:
GitHub
[MEDIUM] PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header

PKSA-wd5y-fztj-66t8 CVE-2024-56411 GHSA-hwcp-2h35-p66w

Affected version: <=1.8.2

Reported by:
GitHub
[MEDIUM] PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties

PKSA-996h-kvqc-cdky CVE-2024-56410 GHSA-wv23-996v-q229

Affected version: <=1.8.2

Reported by:
GitHub
[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file

PKSA-p4bt-rmgm-ynz5 CVE-2024-56409 GHSA-j2xg-cjcx-4677

Affected version: <=1.8.2

Reported by:
GitHub
[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file

PKSA-kxx5-ph1r-5bg2 CVE-2024-56366 GHSA-c6fv-7vh8-2rhr

Affected version: <=1.8.2

Reported by:
GitHub
[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class

PKSA-bx2k-kfb8-w1zm CVE-2024-56365 GHSA-jmpx-686v-c3wx

Affected version: <=1.8.2

Reported by:
GitHub
[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file

PKSA-79jx-g5m1-5ybs CVE-2024-56408 GHSA-x88g-h956-m5xg

Affected version: <=1.8.2

Reported by:
GitHub
[HIGH] XXE in PHPSpreadsheet's XLSX reader

PKSA-j2jw-2hjb-39hn CVE-2024-48917 GHSA-7cc9-j4mv-vcjp

Affected version: <=1.8.2

Reported by:
GitHub
[HIGH] XmlScanner bypass leads to XXE

PKSA-yb2q-9cbc-scfr CVE-2024-47873 GHSA-jw4x-v69f-hh5w

Affected version: <=1.8.2

Reported by:
GitHub
[HIGH] XXE in PHPSpreadsheet's XLSX reader

PKSA-xzzd-fyzv-1nm2 CVE-2024-45293 GHSA-6hwr-6v2f-3m88

Affected version: <=1.8.2

Reported by:
GitHub
[MEDIUM] PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks

PKSA-b7bk-6mnf-vvf4 CVE-2024-45292 GHSA-r8w8-74ww-j4wh

Affected version: <=1.8.2

Reported by:
GitHub
[MEDIUM] PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled

PKSA-gn6r-3fbg-vpq7 CVE-2024-45291 GHSA-w9xv-qf98-ccq4

Affected version: <=1.8.2

Reported by:
GitHub
[HIGH] PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery when opening XLSX file

PKSA-81dj-mb26-861s CVE-2024-45290 GHSA-5gpr-w2p5-6m37

Affected version: <=1.8.2

Reported by:
GitHub
[MEDIUM] PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file

PKSA-1p4c-ysfb-v9ph CVE-2024-45060 GHSA-v66g-p9x6-v98p

Affected version: <=1.8.2

Reported by:
GitHub
[HIGH] XXE in PHPSpreadsheet encoding is returned

PKSA-j343-tkpg-k39h CVE-2024-45048 GHSA-ghg6-32f9-2jp7

Affected version: <=1.8.2

Reported by:
GitHub
[MEDIUM] PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information

PKSA-xj88-cdcs-bgkr CVE-2024-45046 GHSA-wgmf-q9vr-vww6

Affected version: <=1.8.2

Reported by:
GitHub
[MEDIUM] Cross-site scripting in phpoffice/phpspreadsheet

PKSA-s9h9-dzpw-9hsj CVE-2020-7776 GHSA-4mqv-gcr3-pff9

Affected version: <=1.8.2

Reported by:
GitHub
[HIGH] XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue

PKSA-hn36-2kk8-hb3y CVE-2019-12331 GHSA-vvwv-h69m-wg6f

Affected version: <=1.8.2

Reported by:
GitHub
[HIGH] XXE Vulnerability

PKSA-22dg-9jng-vjc5 CVE-2015-3542 GHSA-3m9x-2qfj-xvq4

Affected version: <1.8.1

Reported by:
GitHub, FriendsOfPHP/security-advisories

phpoffice/phpexcel Security Advisories for 1.8.0rc4 (21)

[MEDIUM] PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters

[MEDIUM] Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet

[MEDIUM] PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters

[MEDIUM] PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header

[MEDIUM] PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties

[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file

[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file

[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class

[HIGH] PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file

[HIGH] XXE in PHPSpreadsheet's XLSX reader

[HIGH] XmlScanner bypass leads to XXE

[HIGH] XXE in PHPSpreadsheet's XLSX reader

[MEDIUM] PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks

[MEDIUM] PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled

[HIGH] PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery when opening XLSX file

[MEDIUM] PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file

[HIGH] XXE in PHPSpreadsheet encoding is returned

[MEDIUM] PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information

[MEDIUM] Cross-site scripting in phpoffice/phpspreadsheet

[HIGH] XXE in PHPSpreadsheet due to incomplete fix for previous encoding issue

[HIGH] XXE Vulnerability