CVE-2023-50717 MEDIUM

CVE-2023-50717: NocoDB Allows Preview of File with Dangerous Content

Vendor Nocodb
Product nocodb
Weakness CWE-434 · Unrestricted file upload
Published May 13, 2024
Last update August 2, 2024

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

NocoDB is software for building databases as spreadsheets. Starting in verson 0.202.6 and prior to version 0.202.10, an attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts can be executed leading stored cross-site scripting attack. This allows remote attacker to execute JavaScript code in the context of the user accessing the vector. An attacker could have used this vulnerability to execute requests in the name of a logged-in user or potentially collect information about the attacked user by displaying a malicious form. Version 0.202.10 contains a patch for the issue.

Key dates

02Disclosure timeline

May 13, 2024 CVE published
August 2, 2024 Record updated