XSS vulnerability in formula bar

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Critical
    • 6.2.0
    • Affects Version/s: 6.1.0
    • Component/s: None
    • None

      Steps to Reproduce

      1. load blank file
      2. enter <img src=a onerror='alert(document.domain)'> in the formular bar

      2nd case: Steps to Reproduce

      1. load keikai-841.xlsx

      Current Result

      a browser executes the js and shows a popup

      Expected Result

      no js executed

      Debug Information

      • input the same string in a cell editbox also has the same bug
      • attackers can upload an xlsx with malicious code and execute it in a browser.

        1. keikai-841.xlsx
          4 kB

            Assignee:
            DevChu
            Reporter:
            hawk
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: