CVE-2024-45292— PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks

PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. `\PhpOffice\PhpSpreadsheet\Writer\Html` does not sanitize "javascript:" URLs from hyperlink `href` attributes, resulting in a Cross-Site Scripting vulnerability. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

PhpSpreadsheet 跨站脚本漏洞

PhpSpreadsheet是PHPOffice开源的一款用于读取和写入电子表格文件的PHP库。 PHPSpreadsheet存在跨站脚本漏洞，该漏洞源于PhpOfficePhpSpreadsheetWriterHtml不会清理超链接href属性中的“javascript:”。

N/A

N/A