Stored Cross-Site Scripting Vulnerability in NocoDB Software

CVE-2023-50717

5.7MEDIUM

Key Information

Vendor: Nocodb
Status: Nocodb
Vendor: CVE Published:; 14 May 2024

Summary

NocoDB, the software that enables users to build databases in a spreadsheet format, has a stored cross-site scripting vulnerability affecting versions 0.202.6 through 0.202.9. Attackers can exploit this vulnerability by uploading a malicious HTML file containing harmful scripts. When a user opens this file in a browser, the malicious scripts can execute, allowing attackers to run JavaScript code within the context of the logged-in user. This breach could lead to various attacks, such as making unauthorized requests on behalf of the user or extracting sensitive information through the manifestation of a deceptive form. Fortunately, the issue has been addressed in version 0.202.10, which includes a patch to remediate this vulnerability.

Affected Version(s)

nocodb = >= 0.202.6, < 0.202.10

References

https://github.com/nocodb/nocodb/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
Dec 11, 2023

Collectors

NVD DatabaseMitre Database