Advisories for Npm/Nocodb package

The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting.

A stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality.

An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name.

Attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts can be executed leading Stored XSS(Cross-Site Script) attack.

Nocodb is an open source Airtable alternative. Affected versions of nocodb contain a SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database. By supplying a specially crafted payload to the given an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injection, an attacker may need to use time-based payloads which would include a function to delay …

Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.

Denial of Service in GitHub repository nocodb/nocodb prior to 0.92.0.

Cross-site Scripting (XSS) - Stored in GitHub repository nocodb/nocodb prior to 0.91.7+.

Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+.

Improper Privilege Management in GitHub repository nocodb/nocodb prior to 0.91.7+.

Generation of Error Message Containing Sensitive Information in GitHub repository nocodb/nocodb prior to 0.91.7+.