NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue
A stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality.
Advisories for Npm/Nocodb package
2024
NocoDB SQL Injection vulnerability
An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name.
NocoDB Allows Preview of Files with Dangerous Content
Attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts can be executed leading Stored XSS(Cross-Site Script) attack.
2023
nocodb SQL Injection vulnerability
Nocodb is an open source Airtable alternative. Affected versions of nocodb contain a SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database. By supplying a specially crafted payload to the given an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injection, an attacker may need to use time-based payloads which would include a function to delay …
Improper Input Validation
Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.
2022
Uncontrolled Resource Consumption
Denial of Service in GitHub repository nocodb/nocodb prior to 0.92.0.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site Scripting (XSS) - Stored in GitHub repository nocodb/nocodb prior to 0.91.7+.
Insufficient Session Expiration
Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+.
Improper Privilege Management
Improper Privilege Management in GitHub repository nocodb/nocodb prior to 0.91.7+.
Generation of Error Message Containing Sensitive Information
Generation of Error Message Containing Sensitive Information in GitHub repository nocodb/nocodb prior to 0.91.7+.