Advisory: PHPExcel 1.7.7 Cross-Site Scripting vulnerability Advisory ID: SSCHADV2012-020 Author: Stefan Schurtz Affected Software: Successfully tested on PHPExcel 1.7.7 Vendor URL: http://phpexcel.codeplex.com/ Vendor Status: informed ========================== Vulnerability Description ========================== PHPExcel 1.7.7 is prone to a Cross-Site Scripting vulnerability ========================== Vulnerable code ========================== //download.php

========================== PoC-Exploit ========================== http://[target]/PHPExcel/Shared/JAMA/docs/download.php/ '> ========================== Solution ==========================

========================== Disclosure Timeline ========================== 21-Aug-2012 - developer informed ========================== Credits ========================== Vulnerability found and advisory written by Stefan Schurtz. ========================== References ========================== http://www.darksecurity.de/advisories/2012/SSCHADV2012-020.txt