CVE-2014-2054: PHPExcel vulnerable to XXE attacks through libxml
(updated )
PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
References
- github.com/PHPOffice/PHPExcel
- github.com/PHPOffice/PHPExcel/blob/2b601574975acfb9d4378a788ed5f2b747958095/changelog.txt
- github.com/PHPOffice/PHPExcel/blob/develop/changelog.txt
- github.com/PHPOffice/PHPExcel/commit/e04bf7ed091b0a72d028eacf26d770b485d4e897
- github.com/advisories/GHSA-28rm-rj57-qjpv
- nvd.nist.gov/vuln/detail/CVE-2014-2054
Code Behaviors & Features
Detect and mitigate CVE-2014-2054 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →