Security issue with outdated phpoffice/phpspreadsheet <=2.3.0 #76
Comments
chriwo
added a commit
to chriwo/frp_form_answers
that referenced
this issue
Oct 14, 2024
This upgrade fix 5 security issues * GHSA-6hwr-6v2f-3m88 * GHSA-r8w8-74ww-j4wh * GHSA-w9xv-qf98-ccq4 * GHSA-5gpr-w2p5-6m37 * GHSA-v66g-p9x6-v98p see frappant#76
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Google has reported 5 security advisories regarding phpoffice/phpspreadsheet < 2.3.0:
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2024-45293 |
| Title | XXE in PHPSpreadsheet's XLSX reader |
| URL | GHSA-6hwr-6v2f-3m88 |
| Affected versions | >=2.0.0,<2.1.1|<1.29.1|>=2.2.0,<2.3.0 |
| Reported at | 2024-10-07T15:58:52+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2024-45292 |
| Title | PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript |
| | hyperlinks |
| URL | GHSA-r8w8-74ww-j4wh |
| Affected versions | >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Reported at | 2024-10-07T15:58:25+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2024-45291 |
| Title | PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in |
| | HTML writer when embedding images is enabled |
| URL | GHSA-w9xv-qf98-ccq4 |
| Affected versions | >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Reported at | 2024-10-07T15:58:06+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2024-45290 |
| Title | PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery |
| | when opening XLSX file |
| URL | GHSA-5gpr-w2p5-6m37 |
| Affected versions | >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Reported at | 2024-10-07T15:57:38+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2024-45060 |
| Title | PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file |
| URL | GHSA-v66g-p9x6-v98p |
| Affected versions | >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Reported at | 2024-10-07T14:43:30+00:00 |
+-------------------+----------------------------------------------------------------------------------+
This package requires "phpoffice/phpspreadsheet": "^1.22"
https://github.com/frappant/frp_form_answers/blob/master/composer.json#L8
Because of the version constraint, this package does not allow to update phpoffice/phpspreadsheet to a save 2.x version. I suggest to migrate to phpoffice/phpspreadsheet 2. There are no to relevant breaking changes.
The text was updated successfully, but these errors were encountered: