CVE-2023-50717 NocoDB Allows Preview of File with Dangerous Content

2024-05-1316:05:48

CWE-79

CWE-434

GitHub_M

www.cve.org

nocodb

file preview

malicious content

cross-site scripting

remote attacker

javascript code

security patch

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

5.6

Confidence

High

EPSS

Percentile

9.0%

JSON

NocoDB is software for building databases as spreadsheets. Starting in verson 0.202.6 and prior to version 0.202.10, an attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts can be executed leading stored cross-site scripting attack. This allows remote attacker to execute JavaScript code in the context of the user accessing the vector. An attacker could have used this vulnerability to execute requests in the name of a logged-in user or potentially collect information about the attacked user by displaying a malicious form. Version 0.202.10 contains a patch for the issue.

CNA Affected

[
  {
    "vendor": "nocodb",
    "product": "nocodb",
    "versions": [
      {
        "version": ">= 0.202.6, < 0.202.10",
        "status": "affected"
      }
    ]
  }
]