CVE-2023-49781

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 0.202.9

Description A stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of urls whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged. This allows attackers to create a malicious table with a formula field whose payload is <img src=1 onerror="malicious javascripts"URI::(XXX). The attackers can then share this table with others by enabling public viewing, and the victims who open the shared link can be attacked. The vulnerability can be exploited to steal the credentials of NocoDB users who click the malicious link.

Recommendations For NocoDB versions prior to 0.202.9, update to version 0.202.9 or later to fix the stored cross-site scripting vulnerability. As a temporary workaround, consider disabling the replaceUrlsWithLink() function or restricting access to the Formula virtual cell comments functionality until a patch is available. Avoid using the urls value in the v-html tag until the issue is resolved.