Description
Versions of exceljs before 1.6.0 are vulnerable to cross-site scripting.
This vulnerability is due to exceljs not validating data from parsed XLSX file and embedding HTML tags, like <script> directly into the sheet cells.
Recommendation
Update the exceljs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.6.0
- Patched version(s): 1.6.0
References
- GHSA-2j2j-8rrv-264g
- hackerone.com
- www.npmjs.com
- CVE-2018-16459
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Stored Cross-Site Scripting in simplehttpserver - CVE-2018-3716
- Bootstrap Cross-site Scripting vulnerability (GHSA-pj7m-g53m-7638) - CVE-2018-14041
- Cross-site Scripting (XSS) - Stored in crud-file-server - CVE-2018-3726
- Json2html vulnerable to cross-site scripting - CVE-2018-25053
- Tags:
- npm
- exceljs
Anything's wrong? Let us know Last updated on September 13, 2023