Nocodb
Monthly
NocoDB versions before 0.301.3 allow authenticated attackers to inject malicious JavaScript through rich text cell content that is rendered without sanitization, enabling stored cross-site scripting attacks. An attacker with user access can craft malicious payloads that execute in the browsers of other users viewing affected cells, potentially compromising session data or performing unauthorized actions. No patch is currently available for affected deployments.
SQL injection in NocoDB versions prior to 0.301.3 allows authenticated users with Creator role to execute arbitrary SQL commands through the DATEADD formula's unit parameter. This high-severity vulnerability enables attackers to compromise data confidentiality, integrity, and system availability with network access and low complexity. No patch is currently available for affected installations.
Stored cross-site scripting in NocoDB versions before 0.301.3 allows authenticated users to inject malicious scripts through comments and rich text cells that execute in other users' browsers due to unsanitized HTML rendering. An attacker with login credentials can exploit this to steal session tokens, perform unauthorized actions, or compromise other database users accessing the same NocoDB instance. No patch is currently available for affected deployments.
NocoDB versions prior to 0.301.3 are vulnerable to stored cross-site scripting (XSS) through improperly sanitized comment rendering via v-html, allowing authenticated users to inject malicious scripts that execute in other users' browsers. An attacker with login access could craft malicious comments to steal session tokens, perform unauthorized actions, or deface the application interface for other users. A patch is available in version 0.301.3 and later.
NocoDB versions prior to 0.301.3 fail to invalidate refresh tokens during password resets, enabling attackers with previously compromised tokens to continue generating valid session tokens despite the victim changing their password. An authenticated attacker can exploit this to maintain unauthorized access to user accounts without requiring the new credentials. This vulnerability requires prior token compromise but allows indefinite session hijacking until the stolen token naturally expires.
Nocodb versions up to 0.301.3 is affected by authorization bypass through user-controlled key (CVSS 6.3).
NocoDB versions prior to 0.301.3 store shared view passwords in plaintext and validate them using simple string comparison, allowing attackers with database access to trivially recover authentication credentials. This affects all users relying on shared view password protection for access control. No patch is currently available for affected deployments.
NocoDB versions prior to 0.301.3 allow authenticated Editor-role users to inject arbitrary HTML into Rich Text cells by bypassing client-side validation and sending malicious payloads directly through the API. This stored XSS vulnerability affects any NocoDB instance where untrusted users have Editor access, potentially enabling malicious script execution in the browsers of users viewing affected cells. No patch is currently available for this vulnerability.
NocoDB versions prior to 0.301.3 expose user enumeration through the password reset endpoint, which returns distinguishable responses for valid and invalid email addresses. An unauthenticated attacker can exploit this to identify registered users in the system. This vulnerability requires no user interaction and has a CVSS score of 5.3, though no patch is currently available.
Stored XSS in NocoDB versions before 0.301.3 allows authenticated users to execute arbitrary JavaScript in other users' browsers through malicious formulas in virtual cells. The vulnerability exploits unsanitized rendering of URI patterns in formula results, enabling attackers to steal session tokens, manipulate data, or perform actions on behalf of victims. No patch is currently available for affected deployments.
NocoDB spreadsheet platform prior to 0.301.0 has a stored XSS vulnerability (CVSS 9.0) that enables code execution through malicious cell content in shared views.
NocoDB versions prior to 0.301.0 contain an open redirect vulnerability in the login flow where the `continueAfterSignIn` parameter is not validated, allowing attackers to redirect authenticated users to arbitrary external websites. Public exploit code exists for this vulnerability, which enables phishing attacks by abusing user trust in the legitimate login process to facilitate credential theft through social engineering. Authenticated users are at risk of being redirected to attacker-controlled domains immediately after successful login.
NocoDB versions prior to 0.301.0 contain a blind SSRF vulnerability in the uploadViaURL feature where an unvalidated HEAD request allows authenticated attackers to probe arbitrary URLs and internal networks before SSRF protections are enforced. Public exploit code exists for this vulnerability, though it has limited impact due to the lack of response data exfiltration. Users should upgrade to version 0.301.0 or later, though no patch is currently available for older versions.
Prototype pollution in NocoDB's connection test endpoint allows authenticated org-level creators to disrupt all database write operations application-wide until server restart, with public exploit code available. Although the vulnerability can bypass SUPER_ADMIN authorization checks, the resulting denial of service prevents actual exploitation of elevated privileges. The issue affects versions prior to 0.301.0 with no patch currently available.
NocoDB is software for building databases as spreadsheets. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
NocoDB versions before 0.301.3 allow authenticated attackers to inject malicious JavaScript through rich text cell content that is rendered without sanitization, enabling stored cross-site scripting attacks. An attacker with user access can craft malicious payloads that execute in the browsers of other users viewing affected cells, potentially compromising session data or performing unauthorized actions. No patch is currently available for affected deployments.
SQL injection in NocoDB versions prior to 0.301.3 allows authenticated users with Creator role to execute arbitrary SQL commands through the DATEADD formula's unit parameter. This high-severity vulnerability enables attackers to compromise data confidentiality, integrity, and system availability with network access and low complexity. No patch is currently available for affected installations.
Stored cross-site scripting in NocoDB versions before 0.301.3 allows authenticated users to inject malicious scripts through comments and rich text cells that execute in other users' browsers due to unsanitized HTML rendering. An attacker with login credentials can exploit this to steal session tokens, perform unauthorized actions, or compromise other database users accessing the same NocoDB instance. No patch is currently available for affected deployments.
NocoDB versions prior to 0.301.3 are vulnerable to stored cross-site scripting (XSS) through improperly sanitized comment rendering via v-html, allowing authenticated users to inject malicious scripts that execute in other users' browsers. An attacker with login access could craft malicious comments to steal session tokens, perform unauthorized actions, or deface the application interface for other users. A patch is available in version 0.301.3 and later.
NocoDB versions prior to 0.301.3 fail to invalidate refresh tokens during password resets, enabling attackers with previously compromised tokens to continue generating valid session tokens despite the victim changing their password. An authenticated attacker can exploit this to maintain unauthorized access to user accounts without requiring the new credentials. This vulnerability requires prior token compromise but allows indefinite session hijacking until the stolen token naturally expires.
Nocodb versions up to 0.301.3 is affected by authorization bypass through user-controlled key (CVSS 6.3).
NocoDB versions prior to 0.301.3 store shared view passwords in plaintext and validate them using simple string comparison, allowing attackers with database access to trivially recover authentication credentials. This affects all users relying on shared view password protection for access control. No patch is currently available for affected deployments.
NocoDB versions prior to 0.301.3 allow authenticated Editor-role users to inject arbitrary HTML into Rich Text cells by bypassing client-side validation and sending malicious payloads directly through the API. This stored XSS vulnerability affects any NocoDB instance where untrusted users have Editor access, potentially enabling malicious script execution in the browsers of users viewing affected cells. No patch is currently available for this vulnerability.
NocoDB versions prior to 0.301.3 expose user enumeration through the password reset endpoint, which returns distinguishable responses for valid and invalid email addresses. An unauthenticated attacker can exploit this to identify registered users in the system. This vulnerability requires no user interaction and has a CVSS score of 5.3, though no patch is currently available.
Stored XSS in NocoDB versions before 0.301.3 allows authenticated users to execute arbitrary JavaScript in other users' browsers through malicious formulas in virtual cells. The vulnerability exploits unsanitized rendering of URI patterns in formula results, enabling attackers to steal session tokens, manipulate data, or perform actions on behalf of victims. No patch is currently available for affected deployments.
NocoDB spreadsheet platform prior to 0.301.0 has a stored XSS vulnerability (CVSS 9.0) that enables code execution through malicious cell content in shared views.
NocoDB versions prior to 0.301.0 contain an open redirect vulnerability in the login flow where the `continueAfterSignIn` parameter is not validated, allowing attackers to redirect authenticated users to arbitrary external websites. Public exploit code exists for this vulnerability, which enables phishing attacks by abusing user trust in the legitimate login process to facilitate credential theft through social engineering. Authenticated users are at risk of being redirected to attacker-controlled domains immediately after successful login.
NocoDB versions prior to 0.301.0 contain a blind SSRF vulnerability in the uploadViaURL feature where an unvalidated HEAD request allows authenticated attackers to probe arbitrary URLs and internal networks before SSRF protections are enforced. Public exploit code exists for this vulnerability, though it has limited impact due to the lack of response data exfiltration. Users should upgrade to version 0.301.0 or later, though no patch is currently available for older versions.
Prototype pollution in NocoDB's connection test endpoint allows authenticated org-level creators to disrupt all database write operations application-wide until server restart, with public exploit code available. Although the vulnerability can bypass SUPER_ADMIN authorization checks, the resulting denial of service prevents actual exploitation of elevated privileges. The issue affects versions prior to 0.301.0 with no patch currently available.
NocoDB is software for building databases as spreadsheets. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.