Lucene search

GitHub Advisory DatabaseGHSA-28RM-RJ57-QJPV

HistoryMay 17, 2022 - 4:42 a.m.

PHPExcel vulnerable to XXE attacks through libxml

2022-05-1704:42:46

CWE-611

GitHub Advisory Database

github.com

phpexcel

version 1.8.0

xxe attacks

libxml

owncloud server

denial of service

remote attackers

arbitrary files.

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.005

Percentile

77.0%

JSON

PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

Affected configurations

Vulners

Node

phpofficephpexcelRange<1.8.0

VendorProductVersionCPE
phpofficephpexcel*cpe:2.3:a:phpoffice:phpexcel:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
phpoffice	phpexcel	*	cpe:2.3:a:phpoffice:phpexcel::::::::

References

owncloud.org/about/security/advisories/oC-SA-2014-006/

github.com/advisories/GHSA-28rm-rj57-qjpv

github.com/PHPOffice/PHPExcel/blob/2b601574975acfb9d4378a788ed5f2b747958095/changelog.txt#L120

github.com/PHPOffice/PHPExcel/commit/e04bf7ed091b0a72d028eacf26d770b485d4e897

nvd.nist.gov/vuln/detail/CVE-2014-2054

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.005

Percentile

77.0%

JSON

Related for GHSA-28RM-RJ57-QJPV