Severity: moderate

Cross-Site Scripting

exceljs

Overview

Versions of exceljs before 1.6.0 are vulnerable to cross-site scripting.

This vulnerability is due to exceljs does not validate data from parsed XLSX file and allows to embed HTML tags, like <script>, directly in the sheet cells. Because of this it's possible to inject malicious JavaScript code and execute it when data from the sheet were displayed in the browser.

Remediation

Update to version 1.6.0 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Dec 11th, 2018