CVE-2018-19277 – PhpSpreadsheet < 1.5.0 - XML External Entity (XXE)

https://notcve.org/view.php?id=CVE-2018-19277

securityScan() in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file securityScan() en PHPOffice PhpSpreadsheet hasta la versión 1.5.0 permite la omisión de los mecanismos de protección de XEE (XML External Entity) mediante el cifrado UTF-7 en un archivo .xlsx. • https://www.exploit-db.com/exploits/46050 https://github.com/MewesK/TwigSpreadsheetBundle/issues/18 https://github.com/PHPOffice/PhpSpreadsheet/issues/771 https://www.bishopfox.com/news/2018/11/phpoffice-versions https://www.drupal.org/sa-contrib-2021-043 • CWE-91: XML Injection (aka Blind XPath Injection) •