NocoDB is software for building databases as spreadsheets. The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting. The endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting. The flaw occurs due to implementation of the client-side template engine ejs, specifically on file resetPassword.ts where the template is using the insecure function “<%-“, which is rendered by the function renderPasswordReset. This vulnerability is fixed in 0.258.0.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-03-06
NocoDB is software for building databases as spreadsheets. Prior to version 0.202.10, an authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped `table_name`. This vulnerability may result in leakage of sensitive data in the database. Version 0.202.10 contains a patch for the issue.
CVSS Score
6.5
EPSS Score
0.002
Published
2024-05-14
NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged. This vulnerability is fixed in 0.202.9.
CVSS Score
7.3
EPSS Score
0.01
Published
2024-05-14
Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.
CVSS Score
5.7
EPSS Score
0.006
Published
2023-09-21
NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files and data on the server, including configuration files, source code, and other sensitive information.
CVSS Score
7.5
EPSS Score
0.933
Published
2023-06-19
Allocation of Resources Without Limits or Throttling in GitHub repository nocodb/nocodb prior to 0.92.0.
CVSS Score
7.3
EPSS Score
0.014
Published
2022-10-07
With this SSRF vulnerability, an attacker can reach internal addresses to make a request as the server and read it's contents. This attack can lead to leak of sensitive information.
CVSS Score
9.1
EPSS Score
0.007
Published
2022-07-07
Cross-site Scripting (XSS) - Stored in GitHub repository nocodb/nocodb prior to 0.91.7+.
CVSS Score
7.3
EPSS Score
0.004
Published
2022-06-14
Generation of Error Message Containing Sensitive Information in GitHub repository nocodb/nocodb prior to 0.91.7+.
CVSS Score
9.1
EPSS Score
0.011
Published
2022-06-13
Improper Privilege Management in GitHub repository nocodb/nocodb prior to 0.91.7+.
CVSS Score
9.0
EPSS Score
0.01
Published
2022-06-13
Page 1