GHSA-4W6R-5C2J-QF5F NocoDB: Hidden Column Exposure in Public Shared View Endpoints

Summary Public shared-view endpoints exposed values from columns that the view owner had hidden, via three independent paths: groupBy returned raw values for any column named in the request, filter and sort arrays operated on hidden columns enabling boolean-blind extraction, and the related-data...

Authorization Bypass Through User-Controlled Key

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the public shared-view endpoints, which exposed values from columns that were intended to be hidden. An attacker can access sensitive information by crafting reques...

GHSA-FHRF-Q333-82FM CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM XSS via Blog Category Title Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Blog Category Title in Blog Management Description The application fails to properly sanitize user-controlled input when creating or editing blog categories. An...

CI4MS: Pages Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability: Stored DOM XSS via Page Management Fields Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Page Creation and Editing Inputs Description The application fails to properly sanitize user-controlled input within the Page Management functionality when...