diff options
| author | Rodrigo Osorio <rodrigo@FreeBSD.org> | 2024-02-11 20:01:40 +0100 |
|---|---|---|
| committer | Rodrigo Osorio <rodrigo@FreeBSD.org> | 2024-02-11 20:03:15 +0100 |
| commit | 425c2f9bd7ad36f324559b694a7bf0345c7e5803 (patch) | |
| tree | 4ab24b2704d10f3ae1dff3a108e81e1389f0706e | |
| parent | 486cd76e9ca9fb77db6e858ee04ffb6464f67c2d (diff) | |
| download | freebsd-ports-425c2f9bd7ad36f324559b694a7bf0345c7e5803.zip | |
security/vuxml: add vulnerability for p5-Spreadsheet-ParseExcel
https://nvd.nist.gov/vuln/detail/CVE-2023-7101
| -rw-r--r-- | security/vuxml/vuln/2024.xml | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 5ab57c289fa0..a1792f558f35 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,35 @@ + <vuln vid="cb22a9a6-c907-11ee-8d1c-40b034429ecf"> + <topic>p5-Spreadsheet-ParseExcel -- Remote Code Execution Vulnerability</topic> + <affects> + <package> + <name>p5-Spreadsheet-ParseExcel</name> + <range><lt>0.66</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Spreadsheet-ParseExcel reports:</p> + <blockquote cite="https://nvd.nist.gov/vuln/detail/CVE-2023-7101"> + <p> + Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. + Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability + due to passing unvalidated input from a file into a string-type eval "eval". + Specifically, the issue stems from the evaluation of Number format strings + (not to be confused with printf-style format strings) within the Excel parsing logic. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-7101</cvename> + <url>https://nvd.nist.gov/vuln/detail/CVE-2023-7101</url> + </references> + <dates> + <discovery>2023-12-29</discovery> + <entry>2024-02-11</entry> + </dates> + </vuln> + <vuln vid="19e6dd1b-c6a5-11ee-9cd0-6cc21735f730"> <topic>postgresql-server -- non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL</topic> <affects> |