Description
Versions of exceljs before 1.6.0 are vulnerable to cross-site scripting.
This vulnerability is due to exceljs not validating data from parsed XLSX file and embedding HTML tags, like <script> directly into the sheet cells.
Recommendation
Update the exceljs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.6.0
- Patched version(s): 1.6.0
References
- GHSA-2j2j-8rrv-264g
- hackerone.com
- www.npmjs.com
- CVE-2018-16459
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Command Injection Vulnerability - CVE-2021-21315
- Cloudera HUE Account Enumeration - CVE-2016-4947
- Sensitive data exposure in NATS - CVE-2020-26149
- Cross-Site Scripting in i18next - CVE-2017-16008
- Tags:
- npm
- exceljs
Anything's wrong? Let us know Last updated on September 13, 2023