NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue
A stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality.
A stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality.
An authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped table_name.
Attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts can be executed leading Stored XSS(Cross-Site Script) attack.
Nocodb is an open source Airtable alternative. Affected versions of nocodb contain a SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database. By supplying a specially crafted payload to the given an attacker can inject arbitrary SQL queries to be executed. Since this is a blind SQL injection, an attacker may need to use time-based payloads which would include a function to delay …
Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.
Denial of Service in GitHub repository nocodb/nocodb prior to 0.92.0.
Cross-site Scripting (XSS) - Stored in GitHub repository nocodb/nocodb prior to 0.91.7+.
Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+.
Improper Privilege Management in GitHub repository nocodb/nocodb prior to 0.91.7+.
Generation of Error Message Containing Sensitive Information in GitHub repository nocodb/nocodb prior to 0.91.7+.