PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the `Downloader` class. Using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| phpoffice/phpspreadsheet(Packagist) | 3.0.0 | 3.7.0 | N/A |
| phpoffice/phpspreadsheet(Packagist) | 0 | 1.29.7 | N/A |
| phpoffice/phpspreadsheet(Packagist) | 2.0.0 | 2.1.6 | N/A |
| phpoffice/phpspreadsheet(Packagist) | 2.2.0 | 2.3.5 | N/A |
| phpoffice/phpexcel(Packagist) | 0 | N/A | N/A |
CVSS Metrics
