Mattzajork2615ADF2-FF40-4623-97FB-2E4A3800202AStored Cross-Site Scripting
0.001 Low
EPSS
Percentile
21.6%
Description
A stored cross-site scripting vulnerability exists within the Gallery View comments functionality.
Replication Steps and PoC
Preconditions
PC1. A project exists.
PC2. A table with a sheet containing data exists in the project.
PC3. A gallery view exists.
PC4. A user with the editor role exists.
Steps
Step 1: As an authenticated user with the editor role, navigate to the Gallery View for the existing table and sheet.
Step 2: In the new Gallery View, click on a card to edit the record.
Step 3: In a text field, supply the value containing the cross-site scripting payload, as follows:
"><img src>
Step 4: Click “Save row”.
Step 5: In a new browser session, authenticate to NocoDB as the super admin.
Step 6: As the super admin, browse to the Gallery View, click the card from step two, and then click the icon to view the comments. The XSS is executed in the context of the super admin account.
Step 7: The local storage vuex data is sent to an attacker-controlled server, which can be base64 decoded to retrieve the session token.
The proof-of-concept video demonstrates a user with the editor role exploiting this vulnerability to gain super admin access.
Related
