Sourced from The PHP Security Advisories Database.

XXE Vulnerability

Affected versions: <=1.8.1

Sourced from phpoffice/phpexcel's changelog.

---

• PHPExcel
• Copyright (c) 2006 - 2014 PHPExcel
• This library is free software; you can redistribute it and/or
• modify it under the terms of the GNU Lesser General Public
• License as published by the Free Software Foundation; either
• version 2.1 of the License, or (at your option) any later version.
• This library is distributed in the hope that it will be useful,
• but WITHOUT ANY WARRANTY; without even the implied warranty of
• MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
• Lesser General Public License for more details.
• You should have received a copy of the GNU Lesser General Public
• License along with this library; if not, write to the Free Software
• Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
• @copyright Copyright (c) 2006 - 2014 PHPExcel (http://www.codeplex.com/PHPExcel)
• @license http://www.gnu.org/licenses/old-licenses/lgpl-2.1.txt LGPL
• @version ##VERSION##, ##DATE##

---

Planned for 1.8.2

• Bugfix: (MBaker) - Fix to getCell() method when cell reference includes a worksheet reference
• Bugfix: (ncrypthic) Work Item GH-570 - Ignore inlineStr type if formula element exists
• Bugfix: (hernst42) Work Item GH-709 - Fixed missing renames of writeRelationShip (from _writeRelationShip)
• General: (umpirsky) Work Item GH-548 - Optimize vlookup() sort
• Bugfix: (MBaker) Work Item GH-554 - Whitespace after toRichTextObject()
• Feature: (MBaker) - Initial implementation of SUMIFS() function
• Feature: (MBaker) - Additional codepages
• Feature: (Tomino2112) Work Item GH-808 - MemoryDrawing not working in HTML writer
• General: (rentalhost) Work Item GH-575 - Excel 2007 Reader freezes because of conditional formatting
• Bugfix: (vitalyrepin) Pull Request 869 - c:max and c:min elements shall NOT be inside c:orientation elements
• General: (sim642) Pull Request 489 - Implement actual timezone adjustment into PHPExcel_Shared_Date::PHPToExcel

• 1441011 Merge remote-tracking branch 'origin/master'
• 2b60157 Fix and improve XXE security scanning for XML-based Readers
• d3373c9 Fix old reference to _sheetIndex in HTML Writer
• 1c8c237 Fix to Radar and Scatter chart examples
• 900325d Minor updates to composer
• e487f5c Fix for multiple worksheets, all with merge cells, in HTML Writer
• fcc5c65 Fix to 01simple.php example after mis-commit
• 650d2d0 Merge branch 'develop' into 1.8
• b202956 Fix for XML settings, together with unit tests
• b0ce48f Merge pull request #895 from psirus0588/patch-1
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)