NocoDB: Hidden Column Exposure in Public Shared View Endpoints

Summary Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and the related-data...

com.liferay:com.liferay.document.library.service (>=1.0.0 <=2.0.8), com.liferay:com.liferay.dynamic.data.lists.service (>=1.0.0 <=1.1.48) +10 more potentially affected by CVE-2021-38268 via com.liferay:com.liferay.dynamic.data.mapping.service (>=1.0.0 <=2.2.0)

com.liferay:com.liferay.dynamic.data.mapping.service MAVEN version =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.5, =1.0.30 Source cves: CVE-2021-38268 Source advisory: OSV:GHSA-F855-2RVM-5J7H...

typo3sql.txt

Here is a POC for the typo3 issue to test if you are vulnerable. This doesn't pull the password, just the username : http://path/?&action=getviewcategory&categoryuid=-99%20UNION%20SELECT%20use rname%20FROM%20beusers%20WHERE%20uid=1/ Also, it's easy to pull lists of data from the database using th...