CVE-2023-50717

Name of the Vulnerable Software and Affected Versions NocoDB versions 0.202.6 through 0.202.9

Description The issue allows an attacker to upload a html file with malicious content. If a user tries to open that file in a browser, malicious scripts can be executed, leading to a stored cross-site scripting attack. This enables a remote attacker to execute JavaScript code in the context of the user accessing the vector. An attacker could use this to execute requests in the name of a logged-in user or potentially collect information about the attacked user by displaying a malicious form.

Recommendations For NocoDB versions 0.202.6 through 0.202.9, update to version 0.202.10 or later, which contains a patch for the issue. As a temporary workaround, consider restricting the upload of html files or disabling the feature to upload files until a patch is applied. Avoid accessing uploaded files from untrusted sources to minimize the risk of exploitation.