Pyozzi-Toss

**Name of the Vulnerable Software and Affected Versions** NocoDB versions 0.202.6 through 0.202.9 **Description** The issue allows an attacker to upload a html file with malicious content. If a user tries to open that file in a browser, malicious scripts can be executed, leading to a stored cross-site scripting attack. This enables a remote attacker to execute JavaScript code in the context of the user accessing the vector. An attacker could use this to execute requests in the name of a logged-in user or potentially collect information about the attacked user by displaying a malicious form. **Recommendations** For NocoDB versions 0.202.6 through 0.202.9, update to version 0.202.10 or later, which contains a patch for the issue. As a temporary workaround, consider restricting the upload of html files or disabling the feature to upload files until a patch is applied. Avoid accessing uploaded files from untrusted sources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NocoDB versions prior to 0.202.10 **Description** The issue allows an authenticated attacker with create access to conduct a SQL Injection attack on MySQL DB using an unescaped `table name`. This may result in leakage of sensitive data in the database. The SQL Injection vulnerability occurs in the `VitessClient.ts` file, specifically in the `columnList` function, where the `args.tn` variable, referring to the table name entered by the user, is not properly sanitized. A malicious attacker can exploit this by including a special character in the table name to escape the existing query and execute a new arbitrary SQL query. **Recommendations** For versions prior to 0.202.10, update to version 0.202.10 or later, which contains a patch for the issue. As a temporary workaround, consider restricting access to the `columnList` function in `VitessClient.ts` to minimize the risk of exploitation. Additionally, restrict the use of the `args.tn` variable in the affected SQL query until the issue is resolved.