We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-49781

NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue



Description

NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged. This vulnerability is fixed in 0.202.9.

Reserved 2023-11-30 | Published 2024-05-13 | Updated 2024-08-02 | Assigner GitHub_M


HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 0.202.9
affected

References

github.com/...nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h

github.com/...ommit/7f58ce3726dfec71537d8b80474a0f95a48a1574

cve.org (CVE-2023-49781)

nvd.nist.gov (CVE-2023-49781)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2023-49781

Support options

Helpdesk Chat, Email, Knowledgebase