CVE-2020-7776 — Cross-site scripting in phpoffice/phpspreadsheet

Description

This affects the package phpoffice/phpspreadsheet. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML.

How to fix CVE-2020-7776

To remediate CVE-2020-7776, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 1.16.0 or later

Is CVE-2020-7776 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, <= 1.8.2
from 0, < 1.16.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-7776
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/phpoffice/phpspreadsheet/CVE-2020-7776.yaml
WEBgithub.com/PHPOffice/PhpSpreadsheet/blob/master/src/PhpSpreadsheet/Writer/Html.php%23L1792
WEBgithub.com