NocoDB: Reflected Cross-Site Scripting via Password Reset Token

Summary

The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS <%= %> HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link.

Details

The vulnerable template embedded the token as:

token: '<%= token %>',

A token containing ';alert(document.cookie);// closes the single-quoted string and runs arbitrary JavaScript. The fix moves the token into an HTML attribute (data-token="…") and reads it from dataset.token at runtime, so EJS's HTML-entity escaping is sufficient.

Impact

• Reflected XSS in the NocoDB origin via a phished password-reset URL.
• No authentication required to trigger; affects any user who clicks the crafted link.
• Same-origin script can read auth state and act on the victim's behalf.

Credit

This issue was reported by @fg0x0.