NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`

Summary An authenticated user with columnAdd permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional direction argument of ARRAYSORT.... The value is unrestricted by formula validation and embedded into a knex.raw ORDER BY clause, executing during...

CVE-2020-20600

MetInfo 7.0 beta contains a stored cross-site scripting XSS vulnerability in the $name parameter of admin/?n=column&c=index&a=doAddColumn...