CVE-2024-55878
6.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Summary
SimpleXLSX is software for parsing and retrieving data from Excel XLSx files. Starting in version 1.0.12 and prior to version 1.1.12, when calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. Version 1.1.12 fixes the issue. As a workaround, don't use direct publication via toHTMLEx.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| shuchkin | simplexlsx | >= 1.0.12, < 1.1.12 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/shuchkin/simplexlsx/security/advisories/GHSA-x6mh-rjwm-8ph7
- https://github.com/shuchkin/simplexlsx/commit/cb4e716259e83d18e89292a4f1b721f4d34e28c2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.