CVE-2020-7776 in PhpSpreadsheet
Summary
by MITRE • 12/09/2020
This affects the package phpoffice/phpspreadsheet from 0.0.0. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as HTML. A fix for this issue is available on commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845/master branch.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/04/2025
The vulnerability CVE-2020-7776 affects the phpoffice/phpspreadsheet library, specifically impacting versions from 0.0.0 and onwards. This security flaw resides within the HTML output generation functionality of the library, where user-provided comments are improperly handled during the conversion of excel files to html format. The issue manifests when creating html representations of excel documents that contain cell comments, making it a critical concern for applications that process user-uploaded excel files or generate html reports from spreadsheet data. The vulnerability is classified as a cross-site scripting flaw under CWE-79, which represents one of the most prevalent and dangerous web application security vulnerabilities.
The technical root cause of this vulnerability stems from the HTML writer component within the phpoffice/phpspreadsheet library. When processing excel files that contain comments, the library concatenates user-provided comment text directly into html output without proper sanitization or encoding. This occurs specifically during the html export process where cell comments are embedded into link elements or other html structures, creating an attack vector for malicious actors to inject javascript code or other harmful content. The flaw demonstrates poor input validation and output encoding practices, allowing arbitrary html content to be rendered in contexts where it should be treated as plain text or properly escaped.
The operational impact of this vulnerability extends beyond simple html generation, as it can enable attackers to execute malicious scripts in the context of a victim's browser when the generated html is viewed. This risk is particularly severe in web applications that allow users to upload excel files, process them through phpoffice/phpspreadsheet, and subsequently display the resulting html output to other users. Attackers could embed malicious javascript within cell comments, potentially leading to session hijacking, data theft, or defacement of web applications that rely on this library for spreadsheet processing. The vulnerability affects any application using the library's html writer functionality, making it a widespread concern for php applications handling spreadsheet data.
Organizations utilizing phpoffice/phpspreadsheet should immediately implement the available fix referenced in commit 0ed5b800be2136bcb8fa9c1bdf59abc957a98845 on the master branch. This patch addresses the issue by properly sanitizing user comments before including them in html output, ensuring that any potentially malicious content is neutralized during the export process. Additionally, administrators should consider implementing input validation measures at application level, such as filtering or escaping comment content before it reaches the library's html writer. The fix aligns with ATT&CK technique T1211 by addressing the execution of malicious code through improper input handling, while also supporting the principle of least privilege by preventing untrusted data from directly influencing html generation processes.