{"package":"phpoffice/phpexcel","ecosystem":"composer","latest_version":"1.8.2","description":"PHPExcel - OpenXML - Read, Create and Write Spreadsheet documents in PHP - Spreadsheet engine","license":"LGPL-2.1","license_risk":"weak_copyleft","commercial_use_notes":"LGPL: dynamic linking from closed-source is OK; static linking triggers source disclosure.","homepage":"https://github.com/PHPOffice/PHPExcel","repository":"https://github.com/PHPOffice/PHPExcel","downloads_weekly":0,"health":{"score":0,"risk":"critical","breakdown":{"maintenance":0,"popularity":0,"security":0,"maturity":6,"community":0},"deprecated":true,"max_score":100},"vulnerabilities":{"count":19,"critical":0,"high":9,"medium":10,"low":0,"details":[{"vuln_id":"CVE-2020-7776","severity":"medium","summary":"Cross-site scripting in phpoffice/phpspreadsheet","affected_versions":"<1.16.0|<=1.8.2|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.2.0|=1.2.1|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"1.16.0","source":"osv","published_at":"2021-05-06T18:53:37Z","in_kev":false,"epss_prob":0.00335,"epss_percentile":0.5635,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-45290","severity":"high","summary":"PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery when opening XLSX file","affected_versions":">=2.2.0,<2.3.0|<1.29.2|>=2.0.0,<2.1.1|<=1.8.2|=2.2.0|=2.2.1|=2.2.2|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.29.1|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.0.0|=2.1.0|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"2.1.1","source":"osv","published_at":"2024-10-07T15:57:38Z","in_kev":false,"epss_prob":0.00305,"epss_percentile":0.53681,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-45293","severity":"high","summary":"XXE in PHPSpreadsheet's XLSX reader","affected_versions":">=2.2.0,<2.3.0|<1.29.1|>=2.0.0,<2.1.1|<=1.8.2|=2.2.0|=2.2.1|=2.2.2|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.0.0|=2.1.0|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"2.1.1","source":"osv","published_at":"2024-10-07T15:58:52Z","in_kev":false,"epss_prob":0.71632,"epss_percentile":0.98744,"threat_tier":"likely_exploited"},{"vuln_id":"CVE-2025-22131","severity":"medium","summary":"Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet","affected_versions":">=3.0.0,<3.8.0|<1.29.8|>=2.0.0,<2.1.7|>=2.2.0,<2.3.6|<=1.8.2|=3.3.0|=3.4.0|=3.5.0|=3.6.0|=3.7.0|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.29.1|=1.29.2|=1.29.4|=1.29.5|=1.29.6|=1.29.7|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.0.0|=2.1.0|=2.1.1|=2.1.3|=2.1.4|=2.1.5|=2.1.6|=2.2.0|=2.2.1|=2.2.2|=2.3.0|=2.3.2|=2.3.3|=2.3.4|=2.3.5|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"2.3.6","source":"osv","published_at":"2025-01-21T21:09:13Z","in_kev":false,"epss_prob":0.00455,"epss_percentile":0.6388,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-48917","severity":"high","summary":"XXE in PHPSpreadsheet's XLSX reader","affected_versions":"<1.29.4|>=2.0.0,<2.1.3|>=2.2.0,<2.3.2|>=3.3.0,<3.4.0|<=1.8.2|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.29.1|=1.29.2|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.0.0|=2.1.0|=2.1.1|=2.2.0|=2.2.1|=2.2.2|=2.3.0|=3.3.0|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"3.4.0","source":"osv","published_at":"2024-11-18T20:01:46Z","in_kev":false,"epss_prob":0.00173,"epss_percentile":0.38324,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-56366","severity":"high","summary":"PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file","affected_versions":">=3.0.0,<3.7.0|<1.29.7|>=2.0.0,<2.1.6|>=2.2.0,<2.3.5|<=1.8.2|=3.3.0|=3.4.0|=3.5.0|=3.6.0|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.29.1|=1.29.2|=1.29.4|=1.29.5|=1.29.6|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.0.0|=2.1.0|=2.1.1|=2.1.3|=2.1.4|=2.1.5|=2.2.0|=2.2.1|=2.2.2|=2.3.0|=2.3.2|=2.3.3|=2.3.4|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"2.3.5","source":"osv","published_at":"2025-01-03T17:06:23Z","in_kev":false,"epss_prob":0.00871,"epss_percentile":0.75277,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-45048","severity":"high","summary":"XXE in PHPSpreadsheet encoding is returned","affected_versions":"<1.29.1|>=2.2.0,<2.2.1|>=2.0.0,<2.1.1|<=1.8.2|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.2.0|=2.0.0|=2.1.0|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"2.1.1","source":"osv","published_at":"2024-08-29T17:58:27Z","in_kev":false,"epss_prob":0.00155,"epss_percentile":0.35839,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-56411","severity":"medium","summary":"PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header","affected_versions":">=3.0.0,<3.7.0|<1.29.7|>=2.0.0,<2.1.6|>=2.2.0,<2.3.5|<=1.8.2|=3.3.0|=3.4.0|=3.5.0|=3.6.0|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.29.1|=1.29.2|=1.29.4|=1.29.5|=1.29.6|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.0.0|=2.1.0|=2.1.1|=2.1.3|=2.1.4|=2.1.5|=2.2.0|=2.2.1|=2.2.2|=2.3.0|=2.3.2|=2.3.3|=2.3.4|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"2.3.5","source":"osv","published_at":"2025-01-03T17:28:50Z","in_kev":false,"epss_prob":0.00668,"epss_percentile":0.71354,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-56409","severity":"high","summary":"PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file","affected_versions":">=3.0.0,<3.7.0|<1.29.7|>=2.0.0,<2.1.6|>=2.2.0,<2.3.5|<=1.8.2|=3.3.0|=3.4.0|=3.5.0|=3.6.0|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.29.1|=1.29.2|=1.29.4|=1.29.5|=1.29.6|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.0.0|=2.1.0|=2.1.1|=2.1.3|=2.1.4|=2.1.5|=2.2.0|=2.2.1|=2.2.2|=2.3.0|=2.3.2|=2.3.3|=2.3.4|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"2.3.5","source":"osv","published_at":"2025-01-03T17:06:51Z","in_kev":false,"epss_prob":0.00668,"epss_percentile":0.71354,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-56365","severity":"high","summary":"PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the Downloader class","affected_versions":">=3.0.0,<3.7.0|<1.29.7|>=2.0.0,<2.1.6|>=2.2.0,<2.3.5|<=1.8.2|=3.3.0|=3.4.0|=3.5.0|=3.6.0|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.29.1|=1.29.2|=1.29.4|=1.29.5|=1.29.6|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.0.0|=2.1.0|=2.1.1|=2.1.3|=2.1.4|=2.1.5|=2.2.0|=2.2.1|=2.2.2|=2.3.0|=2.3.2|=2.3.3|=2.3.4|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"2.3.5","source":"osv","published_at":"2025-01-03T17:06:05Z","in_kev":false,"epss_prob":0.00668,"epss_percentile":0.71354,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-47873","severity":"high","summary":"XmlScanner bypass leads to XXE","affected_versions":"<1.29.4|>=2.0.0,<2.1.3|>=2.2.0,<2.3.2|>=3.3.0,<3.4.0|<=1.8.2|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.29.1|=1.29.2|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.0.0|=2.1.0|=2.1.1|=2.2.0|=2.2.1|=2.2.2|=2.3.0|=3.3.0|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"3.4.0","source":"osv","published_at":"2024-11-18T20:01:20Z","in_kev":false,"epss_prob":0.00173,"epss_percentile":0.38324,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-56412","severity":"medium","summary":"PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters","affected_versions":">=3.0.0,<3.7.0|<1.29.7|>=2.0.0,<2.1.6|>=2.2.0,<2.3.5|<=1.8.2|=3.3.0|=3.4.0|=3.5.0|=3.6.0|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.29.1|=1.29.2|=1.29.4|=1.29.5|=1.29.6|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.0.0|=2.1.0|=2.1.1|=2.1.3|=2.1.4|=2.1.5|=2.2.0|=2.2.1|=2.2.2|=2.3.0|=2.3.2|=2.3.3|=2.3.4|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"2.3.5","source":"osv","published_at":"2025-01-03T17:29:10Z","in_kev":false,"epss_prob":0.00228,"epss_percentile":0.45475,"threat_tier":"theoretical"},{"vuln_id":"CVE-2025-23210","severity":"medium","summary":"PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters","affected_versions":">=3.0.0,<3.9.0|<1.29.9|>=2.2.0,<2.3.7|>=2.0.0,<2.1.8|<=1.8.2|=3.3.0|=3.4.0|=3.5.0|=3.6.0|=3.7.0|=3.8.0|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.29.1|=1.29.2|=1.29.4|=1.29.5|=1.29.6|=1.29.7|=1.29.8|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.2.0|=2.2.1|=2.2.2|=2.3.0|=2.3.2|=2.3.3|=2.3.4|=2.3.5|=2.3.6|=2.0.0|=2.1.0|=2.1.1|=2.1.3|=2.1.4|=2.1.5|=2.1.6|=2.1.7|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"2.1.8","source":"osv","published_at":"2025-02-03T15:39:31Z","in_kev":false,"epss_prob":0.00113,"epss_percentile":0.29585,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-45292","severity":"medium","summary":"PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks","affected_versions":">=2.2.0,<2.3.0|<1.29.2|>=2.0.0,<2.1.1|<=1.8.2|=2.2.0|=2.2.1|=2.2.2|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.29.1|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.0.0|=2.1.0|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"2.1.1","source":"osv","published_at":"2024-10-07T15:58:25Z","in_kev":false,"epss_prob":0.01057,"epss_percentile":0.77685,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-45060","severity":"medium","summary":"PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file","affected_versions":">=2.2.0,<2.3.0|<1.29.2|>=2.0.0,<2.1.1|<=1.8.2|=2.2.0|=2.2.1|=2.2.2|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.29.1|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.0.0|=2.1.0|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"2.1.1","source":"osv","published_at":"2024-10-07T14:43:30Z","in_kev":false,"epss_prob":0.01275,"epss_percentile":0.79624,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-45291","severity":"medium","summary":"PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in HTML writer when embedding images is enabled","affected_versions":">=2.2.0,<2.3.0|<1.29.2|>=2.0.0,<2.1.1|<=1.8.2|=2.2.0|=2.2.1|=2.2.2|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.29.1|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.0.0|=2.1.0|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"2.1.1","source":"osv","published_at":"2024-10-07T15:58:06Z","in_kev":false,"epss_prob":0.0089,"epss_percentile":0.75594,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-45046","severity":"medium","summary":"PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information","affected_versions":">=2.0.0,<2.1.0|<1.29.1|<=1.8.2|=2.0.0|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"1.29.1","source":"osv","published_at":"2024-08-29T17:56:56Z","in_kev":false,"epss_prob":0.00333,"epss_percentile":0.56076,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-56410","severity":"medium","summary":"PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom properties","affected_versions":">=3.0.0,<3.7.0|<1.29.7|>=2.0.0,<2.1.6|>=2.2.0,<2.3.5|<=1.8.2|=3.3.0|=3.4.0|=3.5.0|=3.6.0|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.29.1|=1.29.2|=1.29.4|=1.29.5|=1.29.6|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.0.0|=2.1.0|=2.1.1|=2.1.3|=2.1.4|=2.1.5|=2.2.0|=2.2.1|=2.2.2|=2.3.0|=2.3.2|=2.3.3|=2.3.4|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"2.3.5","source":"osv","published_at":"2025-01-03T17:25:45Z","in_kev":false,"epss_prob":0.00668,"epss_percentile":0.71354,"threat_tier":"theoretical"},{"vuln_id":"CVE-2024-56408","severity":"high","summary":"PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file","affected_versions":">=3.0.0,<3.7.0|<1.29.7|>=2.0.0,<2.1.6|>=2.2.0,<2.3.5|<=1.8.2|=3.3.0|=3.4.0|=3.5.0|=3.6.0|=1.0.0|=1.0.0-beta|=1.0.0-beta2|=1.1.0|=1.10.0|=1.10.1|=1.11.0|=1.12.0|=1.13.0|=1.14.0|=1.14.1|=1.15.0|=1.16.0|=1.17.0|=1.17.1|=1.18.0|=1.19.0|=1.2.0|=1.2.1|=1.20.0|=1.21.0|=1.22.0|=1.23.0|=1.24.0|=1.24.1|=1.25.0|=1.25.1|=1.25.2|=1.26.0|=1.27.0|=1.27.1|=1.28.0|=1.29.0|=1.29.1|=1.29.2|=1.29.4|=1.29.5|=1.29.6|=1.3.0|=1.3.1|=1.4.0|=1.4.1|=1.5.0|=1.5.1|=1.5.2|=1.6.0|=1.7.0|=1.8.0|=1.8.1|=1.8.2|=1.9.0|=2.0.0|=2.1.0|=2.1.1|=2.1.3|=2.1.4|=2.1.5|=2.2.0|=2.2.1|=2.2.2|=2.3.0|=2.3.2|=2.3.3|=2.3.4|=1.7.9|=1.7.9-rc1|=1.8.0|=1.8.0rc1|=1.8.0rc2|=1.8.0rc3|=1.8.0rc4|=1.8.1|=1.8.2","fixed_version":"2.3.5","source":"osv","published_at":"2025-01-03T16:05:26Z","in_kev":false,"epss_prob":0.01029,"epss_percentile":0.77382,"threat_tier":"theoretical"}],"actively_exploited_count":0,"likely_exploited_count":1},"versions":{"latest":"1.8.2","total_count":9,"recent":["1.8.2","1.8.1","1.8.0","1.8.0rc4","1.8.0rc3","1.8.0rc2","1.8.0rc1","1.7.9","1.7.9-rc1"]},"metadata":{"deprecated":true,"deprecated_message":"phpoffice/phpspreadsheet","maintainers_count":4,"first_published":null,"last_published":"2018-11-22T23:07:24+00:00","dependencies_count":4,"dependencies":["php","ext-mbstring","ext-xml","ext-xmlwriter"]},"github_stats":{"stars":11381,"forks":4137,"open_issues":663,"is_archived":true,"pushed_at":"2019-01-02T01:38:48Z","subscribers_count":762},"bundle":null,"typescript":null,"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"find_alternative","issues":["Low health score (0/100)","9 high severity vulnerabilities","Package is deprecated"],"use_version":"1.8.2","version_hint":"Update to >= 2.3.5 to fix known vulnerabilities","summary":"phpoffice/phpexcel is deprecated — find an alternative","alternatives":[{"name":"phpoffice/phpspreadsheet","reason":"Deprecation notice: use phpoffice/phpspreadsheet","builtin":false}]},"version_scoped":null,"requested_version":null,"_cache":"hit","_response_ms":0,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":true,"bus_factor_3m":1,"active_contributors_12m":0,"primary_author_ratio":0.0,"owner_account_age_days":5068,"is_archived":true,"stars":11381,"alerts":["single_active_maintainer_3m","archived_repo"]},"malicious":{"is_malicious":false},"scorecard":{"available":false},"quality":{"available":false},"alternatives_link":{"url":"/api/alternatives/composer/phpoffice/phpexcel","count":1},"version_history_summary":{"total_versions":9,"first_release_age_days":null,"last_release_days_ago":2714,"avg_days_between_releases":null,"release_velocity":"stale"}}