NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue

Summary

A stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality.

Details

The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of “urls” whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged, which makes the evil users can create a malicious table with a formula field whose payload is <img src=1 onerror="malicious javascripts"URI::(XXX). The evil users then can share this table with others by enabling public viewing and the victims who open the shared link can be attacked.

PoC

Step 1: Attacker login the nocodb and creates a table with two fields, “T” and “F”. The type of field “T” is “SingleLineText”, and the type of the “F” is “Fomula” with the formula content {T}
Step 2: The attacker sets the contents of T using <img src>