Cross-Site Scripting Vulnerability in NocoDB Prior to 0.202.9
CVE-2023-49781

7.3HIGH

Key Information:

Vendor: Nocodb
Status: Nocodb
Vendor: CVE Published:; 14 May 2024

What is CVE-2023-49781?

NocoDB, a platform designed to transform databases into spreadsheet formats, has a stored cross-site scripting vulnerability affecting its Formula virtual cell comments functionality. This vulnerability is present in versions of the software released before 0.202.9. The issue arises from the handling of v-html within the Formula.vue component, specifically in the handling of URL patterns. The replaceUrlsWithLink() function processes certain URIs but fails to adequately sanitize the remaining content, allowing potential malicious scripts to be injected. This vulnerability can lead to unauthorized script execution if exploited. Users are encouraged to update to version 0.202.9 or later to mitigate this risk. More details can be found in the official security advisory.

Affected Version(s)

nocodb < 0.202.9

References

https://github.com/nocodb/nocodb/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/nocodb/nocodb/commit/7f58ce3726dfec715...

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
Nov 30, 2023

Nocodb

What is CVE-2023-49781?

Affected Version(s)

References

CVSS V3.1

Timeline