Skip to content

Upgrade packages berdasarkan temuan composer audit #526

Closed
Closed
Upgrade packages berdasarkan temuan composer audit#526
Assignees
pandigresik
Labels
T1Teknis
Milestone
M5 Pantau 2509
@pandigresik

Description

@pandigresik
pandigresik
opened on Aug 26, 2025

hasil dari composer audit

+-------------------+----------------------------------------------------------------------------------+
| Package | laravel/framework |
| Severity | medium |
| CVE | CVE-2025-27515 |
| Title | Laravel has a File Validation Bypass |
| URL | GHSA-78fx-h6xr-vch4 |
| Affected versions | <10.48.29|>=11.0.0,<11.44.1|>=12.0.0,<12.1.1 |
| Reported at | 2025-03-05T19:09:39+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | laravel/framework |
| Severity | high |
| CVE | CVE-2024-52301 |
| Title | Laravel environment manipulation via query string |
| URL | GHSA-gv7v-rgg6-548h |
| Affected versions | <6.20.45|>=7.0.0,<7.30.7|>=8.0.0,<8.83.28|>=9.0.0,<9.52.17|>=10.0.0,<10.48.23|>= |
| | 11.0.0,<11.31.0 |
| Reported at | 2024-11-12T15:29:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | league/commonmark |
| Severity | medium |
| CVE | CVE-2025-46734 |
| Title | league/commonmark contains a XSS vulnerability in Attributes extension |
| URL | GHSA-3527-qv2q-pfvx |
| Affected versions | <2.7.0 |
| Reported at | 2025-05-05T20:40:36+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | league/commonmark |
| Severity | high |
| CVE | NO CVE |
| Title | league/commonmark's quadratic complexity bugs may lead to a denial of service |
| URL | GHSA-c2pc-g5qf-rfrf |
| Affected versions | <2.6.0 |
| Reported at | 2024-12-09T20:42:07+00:00 |
| Advisory ID | PKSA-fndg-qryc-dyc9 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | nesbot/carbon |
| Severity | medium |
| CVE | CVE-2025-22145 |
| Title | Carbon has an arbitrary file include via unvalidated input passed to |
| | Carbon::setLocale |
| URL | GHSA-j3f9-p6hm-5w6q |
| Affected versions | <2.72.6|>=3.0.0,<3.8.4 |
| Reported at | 2025-01-08T21:03:28+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2025-54370 |
| Title | PhpSpreadsheet vulnerable to SSRF when reading and displaying a processed HTML |
| | document in the browser |
| URL | GHSA-rx7m-68vc-ppxh |
| Affected versions | >=4.0.0,<5.0.0|>=3.0.0,<3.10.0|>=2.2.0,<2.4.0|>=2.0.0,<2.1.12|<1.30.0 |
| Reported at | 2025-08-25T14:32:32+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2025-23210 |
| Title | PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol |
| | and special characters |
| URL | GHSA-r57h-547h-w24f |
| Affected versions | >=2.0.0,<2.1.8|>=2.2.0,<2.3.7|<1.29.9|>=3.0.0,<3.9.0 |
| Reported at | 2025-02-03T15:39:31+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2025-22131 |
| Title | Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in |
| | PhpSpreadsheet |
| URL | GHSA-79xx-vf93-p7cx |
| Affected versions | >=2.2.0,<2.3.6|>=2.0.0,<2.1.7|<1.29.8|>=3.0.0,<3.8.0 |
| Reported at | 2025-01-21T21:09:13+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2024-56412 |
| Title | PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and |
| | special characters |
| URL | GHSA-q9jv-mm3r-j47r |
| Affected versions | >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Reported at | 2025-01-03T17:29:10+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2024-56411 |
| Title | PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink |
| | base in the HTML page header |
| URL | GHSA-hwcp-2h35-p66w |
| Affected versions | >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Reported at | 2025-01-03T17:28:50+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2024-56410 |
| Title | PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability in custom |
| | properties |
| URL | GHSA-wv23-996v-q229 |
| Affected versions | >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Reported at | 2025-01-03T17:25:45+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2024-56409 |
| Title | PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file |
| URL | GHSA-j2xg-cjcx-4677 |
| Affected versions | >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Reported at | 2025-01-03T17:06:51+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2024-56366 |
| Title | PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file |
| URL | GHSA-c6fv-7vh8-2rhr |
| Affected versions | >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Reported at | 2025-01-03T17:06:23+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2024-56365 |
| Title | PhpSpreadsheet allows unauthorized Reflected XSS in the constructor of the |
| | Downloader class |
| URL | GHSA-jmpx-686v-c3wx |
| Affected versions | >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Reported at | 2025-01-03T17:06:05+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2024-56408 |
| Title | PhpSpreadsheet allows unauthorized Reflected XSS in Convert-Online.php file |
| URL | GHSA-x88g-h956-m5xg |
| Affected versions | >=2.2.0,<=2.3.4|>=2.0.0,<=2.1.5|<=1.29.6|>=3.0.0,<3.7.0 |
| Reported at | 2025-01-03T16:05:26+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2024-48917 |
| Title | XXE in PHPSpreadsheet's XLSX reader |
| URL | GHSA-7cc9-j4mv-vcjp |
| Affected versions | >=3.3.0,<3.4.0|>=2.2.0,<2.3.2|>=2.0.0,<2.1.3|<1.29.4 |
| Reported at | 2024-11-18T20:01:46+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2024-47873 |
| Title | XmlScanner bypass leads to XXE |
| URL | GHSA-jw4x-v69f-hh5w |
| Affected versions | >=3.3.0,<3.4.0|>=2.2.0,<2.3.2|>=2.0.0,<2.1.3|<1.29.4 |
| Reported at | 2024-11-18T20:01:20+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2024-45293 |
| Title | XXE in PHPSpreadsheet's XLSX reader |
| URL | GHSA-6hwr-6v2f-3m88 |
| Affected versions | >=2.0.0,<2.1.1|<1.29.1|>=2.2.0,<2.3.0 |
| Reported at | 2024-10-07T15:58:52+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2024-45292 |
| Title | PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript |
| | hyperlinks |
| URL | GHSA-r8w8-74ww-j4wh |
| Affected versions | >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Reported at | 2024-10-07T15:58:25+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2024-45291 |
| Title | PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery in |
| | HTML writer when embedding images is enabled |
| URL | GHSA-w9xv-qf98-ccq4 |
| Affected versions | >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Reported at | 2024-10-07T15:58:06+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2024-45290 |
| Title | PhpSpreadsheet allows absolute path traversal and Server-Side Request Forgery |
| | when opening XLSX file |
| URL | GHSA-5gpr-w2p5-6m37 |
| Affected versions | >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Reported at | 2024-10-07T15:57:38+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2024-45060 |
| Title | PhpSpreadsheet has an Unauthenticated Cross-Site-Scripting (XSS) in sample file |
| URL | GHSA-v66g-p9x6-v98p |
| Affected versions | >=2.0.0,<2.1.1|<1.29.2|>=2.2.0,<2.3.0 |
| Reported at | 2024-10-07T14:43:30+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | high |
| CVE | CVE-2024-45048 |
| Title | XXE in PHPSpreadsheet encoding is returned |
| URL | GHSA-ghg6-32f9-2jp7 |
| Affected versions | >=2.0.0,<2.1.1|>=2.2.0,<2.2.1|<1.29.1 |
| Reported at | 2024-08-29T17:58:27+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | phpoffice/phpspreadsheet |
| Severity | medium |
| CVE | CVE-2024-45046 |
| Title | PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style |
| | information |
| URL | GHSA-wgmf-q9vr-vww6 |
| Affected versions | <1.29.1|>=2.0.0,<2.1.0 |
| Reported at | 2024-08-29T17:56:56+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | symfony/http-foundation |
| Severity | low |
| CVE | CVE-2024-50345 |
| Title | CVE-2024-50345: Open redirect via browser-sanitized URLs |
| URL | https://symfony.com/cve-2024-50345 |
| Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 |
| | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< |
| | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7 |
| Reported at | 2024-11-05T08:00:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | symfony/process |
| Severity | high |
| CVE | CVE-2024-51736 |
| Title | CVE-2024-51736: Command execution hijack on Windows with Process class |
| URL | https://symfony.com/cve-2024-51736 |
| Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 |
| | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< |
| | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7 |
| Reported at | 2024-11-05T08:00:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+

Metadata

Metadata

Assignees

Labels

T1Teknis

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions