CVE-2024-56364: Cross-site Scripting vulnerability in SimpleXLSXEx::readThemeColors, SimpleXLSXEx::getColorValue and SimpleXLSX::toHTMLEx

5.4 CVSS

Description

SimpleXLSX is software for parsing and retrieving data from Excel XLSx files. Starting in 1.0.12 and ending in 1.1.13, when calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. This vulnerability is fixed in 1.1.13.

Classification

CVE ID: CVE-2024-56364

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.4

Affected Products

Vendor: shuchkin

Product: simplexlsx

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.48% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://github.com/shuchkin/simplexlsx/security/advisories/GHSA-r87q-fj25-f8jf
https://github.com/shuchkin/simplexlsx/commit/71a5e3d40d14e33161f8a40b3fd02de542218ef0

Timeline

2024-12-24 00:30:22 UTC
CVE

Cross-site Scripting vulnerability in SimpleXLSXEx::readThemeColors, SimpleXLSXEx::getColorValue and SimpleXLSX::toHTMLEx