Stored Cross-Site Scripting Vulnerability in NocoDB Software
CVE-2023-50717

5.7MEDIUM

Key Information:

Vendor: Nocodb
Status: Nocodb
Vendor: CVE Published:; 14 May 2024

What is CVE-2023-50717?

NocoDB, the software that enables users to build databases in a spreadsheet format, has a stored cross-site scripting vulnerability affecting versions 0.202.6 through 0.202.9. Attackers can exploit this vulnerability by uploading a malicious HTML file containing harmful scripts. When a user opens this file in a browser, the malicious scripts can execute, allowing attackers to run JavaScript code within the context of the logged-in user. This breach could lead to various attacks, such as making unauthorized requests on behalf of the user or extracting sensitive information through the manifestation of a deceptive form. Fortunately, the issue has been addressed in version 0.202.10, which includes a patch to remediate this vulnerability.

Affected Version(s)

nocodb >= 0.202.6, < 0.202.10

References

https://github.com/nocodb/nocodb/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
Dec 11, 2023

Nocodb

What is CVE-2023-50717?

Affected Version(s)

References

CVSS V3.1

Timeline