We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged. This vulnerability is fixed in 0.202.9.
Reserved 2023-11-30 | Published 2024-05-13 | Updated 2024-08-02 | Assigner GitHub_MCWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
github.com/...nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h
github.com/...ommit/7f58ce3726dfec71537d8b80474a0f95a48a1574
Support options