Search for packages
| purl | pkg:composer/phpoffice/phpspreadsheet@3.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5y3a-g167-cfcc
Aliases: CVE-2024-56409 GHSA-j2xg-cjcx-4677 |
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Currency.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. |
Affected by 8 other vulnerabilities. |
|
VCID-7ems-eufh-fbfa
Aliases: CVE-2024-56410 GHSA-wv23-996v-q229 |
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. |
Affected by 8 other vulnerabilities. |
|
VCID-b755-j9km-cfgf
Aliases: CVE-2025-23210 GHSA-r57h-547h-w24f |
phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1.8, and 1.29.9. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
Affected by 6 other vulnerabilities. |
|
VCID-djyw-zdtt-w3bh
Aliases: CVE-2024-56411 GHSA-hwcp-2h35-p66w |
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink base. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. |
Affected by 8 other vulnerabilities. |
|
VCID-j7nc-f2fc-zbgj
Aliases: CVE-2024-56408 GHSA-x88g-h956-m5xg |
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. |
Affected by 8 other vulnerabilities. |
|
VCID-kmuj-5s89-eybd
Aliases: CVE-2024-56365 GHSA-jmpx-686v-c3wx |
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the `Downloader` class. Using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. |
Affected by 8 other vulnerabilities. |
|
VCID-q8sj-ph4s-xbdt
Aliases: CVE-2025-54370 GHSA-rx7m-68vc-ppxh |
PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, where a crafted string from the user is passed to the HTML reader. This issue has been patched in versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-ug83-4nag-xye6
Aliases: CVE-2024-56366 GHSA-c6fv-7vh8-2rhr |
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Accounting.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. |
Affected by 8 other vulnerabilities. |
|
VCID-wnr2-svnk-zqaz
Aliases: CVE-2024-56412 GHSA-q9jv-mm3r-j47r |
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. |
Affected by 8 other vulnerabilities. |
|
VCID-yk82-b7dm-r3fz
Aliases: CVE-2025-22131 GHSA-79xx-vf93-p7cx |
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response. |
Affected by 7 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||