CVE-2024-55878: Cross-site Scripting vulnerability in SimpleXLSXEx::readXfs and SimpeXLSX::toHTMLEx

6.8 CVSS

Description

SimpleXLSX is software for parsing and retrieving data from Excel XLSx files. Starting in version 1.0.12 and prior to version 1.1.12, when calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. Version 1.1.12 fixes the issue. As a workaround, don't use direct publication via toHTMLEx.

Classification

CVE ID: CVE-2024-55878

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.8

Affected Products

Vendor: shuchkin

Product: simplexlsx

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.48% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://github.com/shuchkin/simplexlsx/security/advisories/GHSA-x6mh-rjwm-8ph7
https://github.com/shuchkin/simplexlsx/commit/cb4e716259e83d18e89292a4f1b721f4d34e28c2

Timeline

2024-12-13 00:30:50 UTC
CVE

Cross-site Scripting vulnerability in SimpleXLSXEx::readXfs and SimpeXLSX::toHTMLEx