Skip to content

Commit 57bdc4e

Browse files
1 parent 5dadee3 commit 57bdc4e

3 files changed

Lines changed: 183 additions & 0 deletions

File tree

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-6xcx-7qmg-vjfq",
4+
"modified": "2026-06-05T15:59:53Z",
5+
"published": "2026-06-05T15:59:53Z",
6+
"aliases": [
7+
"CVE-2026-47376"
8+
],
9+
"summary": "NocoDB: Reflected Cross-Site Scripting via Password Reset Token",
10+
"details": "### Summary\n\nThe password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS `<%= %>` HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link.\n\n### Details\n\nThe vulnerable template embedded the token as:\n\n```ejs\ntoken: '<%= token %>',\n```\n\nA token containing `';alert(document.cookie);//` closes the single-quoted string and runs arbitrary JavaScript. The fix moves the token into an HTML attribute (`data-token=\"…\"`) and reads it from `dataset.token` at runtime, so EJS's HTML-entity escaping is sufficient.\n\n### Impact\n\n- Reflected XSS in the NocoDB origin via a phished password-reset URL.\n- No authentication required to trigger; affects any user who clicks the crafted link.\n- Same-origin script can read auth state and act on the victim's behalf.\n\n### Credit\n\nThis issue was reported by [@fg0x0](https://github.com/fg0x0).",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "nocodb"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2026.04.1"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-6xcx-7qmg-vjfq"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/nocodb/nocodb"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/nocodb/nocodb/releases/tag/2026.04.1"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-79"
55+
],
56+
"severity": "MODERATE",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-06-05T15:59:53Z",
59+
"nvd_published_at": null
60+
}
61+
}
Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-cxv7-gmmp-228p",
4+
"modified": "2026-06-05T15:59:28Z",
5+
"published": "2026-06-05T15:59:28Z",
6+
"aliases": [
7+
"CVE-2026-47375"
8+
],
9+
"summary": "NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`",
10+
"details": "### Summary\n\nAn authenticated user with `columnAdd` permission on a Postgres-backed base can inject arbitrary SQL into the formula engine via the optional `direction` argument of `ARRAYSORT(...)`. The value is unrestricted by formula validation and embedded into a `knex.raw` `ORDER BY` clause, executing during column creation and on every subsequent record read of the formula column.\n\n### Details\n\nThe vulnerability is specific to the Postgres mapping for `ARRAYSORT` in `packages/nocodb/src/db/functionMappings/pg.ts`. Two factors combine:\n\n1. `ARRAYSORT` declares only argument count, not `validation.args.type`, so `validate-extract-tree.ts` does not enforce an allowlist on the second argument.\n2. The Postgres mapping then passes the attacker-controlled value through `sanitize(knex.raw(...))` into a raw SQL fragment:\n\n```ts\nconst direction = pt.arguments[1]\n ? sanitize(\n knex.raw(pt.arguments[1]?.value ?? (await fn(pt.arguments[1])).builder),\n )\n : knex.raw('asc');\n\nreturn {\n builder: knex.raw(`ARRAY(SELECT UNNEST(??) ORDER BY 1 ??)`, [source, direction]),\n};\n```\n\n`sanitize()` in `sqlSanitize.ts` only escapes `?` placeholder characters; it does not validate SQL syntax. A payload such as `\"desc, (SELECT COUNT(*) FROM generate_series(1,30000000))\"` is accepted, persisted, and re-executed on every read of the formula column.\n\n### Impact\n\n- Authenticated SQL injection against Postgres-backed bases.\n- Requires `columnAdd` permission (creator/owner-level).\n- Proven impact: attacker-controlled heavy SQL causing multi-second query stalls (DoS).\n- Potentially extendable to broader SQL injection outcomes depending on database permissions and deployment hardening.\n- Limited to Postgres backends.\n\n### Credit\n\nThis issue was reported by [@leduckhuong](https://github.com/leduckhuong).",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "nocodb"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2026.04.1"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-cxv7-gmmp-228p"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/nocodb/nocodb"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/nocodb/nocodb/releases/tag/2026.04.1"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-89"
55+
],
56+
"severity": "MODERATE",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-06-05T15:59:28Z",
59+
"nvd_published_at": null
60+
}
61+
}
Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-rvp5-9p55-f5rp",
4+
"modified": "2026-06-05T16:00:15Z",
5+
"published": "2026-06-05T16:00:15Z",
6+
"aliases": [
7+
"CVE-2026-47377"
8+
],
9+
"summary": "NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin",
10+
"details": "### Summary\n\nThe client-side `hashRedirect` plugin called `window.location.replace()` on a path extracted from the URL hash fragment after only checking `hashPath.startsWith('/')`. Protocol-relative URLs (`//attacker.com/…`) also satisfy that check, so a crafted link such as `https://nocodb.example/#//attacker.com/phishing` silently redirected visitors to an attacker-controlled origin.\n\n### Details\n\nIn `packages/nc-gui/plugins/hashRedirect.client.ts`, the plugin extracted the hash content and normalised it into `cleanUrl`:\n\n```ts\nlet cleanUrl = hashPath.startsWith('/') ? hashPath : `/${hashPath}`\nif (hashQuery) cleanUrl += `?${hashQuery}`\nwindow.location.replace(cleanUrl)\n```\n\n`startsWith('/')` returns true for `//attacker.com/...`, which browsers interpret as a protocol-relative absolute URL. No hostname check was performed before the redirect. The fix adds an early `if (/^\\/[/\\\\]/.test(hashPath)) return` to reject protocol-relative paths.\n\n### Impact\n\n- Open redirect from any NocoDB origin to an attacker-controlled domain.\n- No authentication required; the attack lands the victim on an attacker-controlled page that may impersonate a NocoDB login.\n\n### Credit\n\nThis issue was reported by [@fg0x0](https://github.com/fg0x0).",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "nocodb"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2026.04.1"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-rvp5-9p55-f5rp"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/nocodb/nocodb"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/nocodb/nocodb/releases/tag/2026.04.1"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-601"
55+
],
56+
"severity": "MODERATE",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-06-05T16:00:15Z",
59+
"nvd_published_at": null
60+
}
61+
}

0 commit comments

Comments
 (0)