THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)

Ok

PUBLISHED

CVE-2023-49781

NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue

Reserved:2023-11-30
Published:2024-05-13
Updated:2024-05-13

Description

NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged. This vulnerability is fixed in 0.202.9.



HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 0.202.9
affected

References

https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h

https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574

cve.org CVE-2023-49781

nvd.nist.gov CVE-2023-49781

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-49781