Vulnerability vector:
- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Severity (CVSSv3.1): 5.4 (medium)
- Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
- Severity (CVSSv4.0): 4.8 (medium)
Description:
The vulnerability was identified in PhpSpreadsheet , versions >= 3.0.0, < 3.7.0/ <= 1.29.6/ >= 2.0.0, <= 2.1.5/ >= 2.2.0, <= 2.3.4.
The discovered vulnerability allows an attacker to process the javascript protocol with special characters, resulting in the ability to execute arbitrary JavaScript code in the victim's browser.
Vulnerability status: Confirmed by vendor
Date of vulnerability remediation: 27.12.2024
Recommendations:
- Update versions >= 3.0.0, < 3.7.0 to 3.7.0 or higher
- Update versions <= 1.29.6 to 1.29.7 or higher
- Update versions >= 2.0.0, <= 2.1.5 to 2.1.6 or higher
- Update versions >= 2.2.0, <= 2.3.4 to 2.3.5 or higher
Additional information: Security advisory
Researcher: Aleksey Solovev (Positive Technologies)