Headline

GHSA-wf6c-hrhf-86cw: NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page

Summary

The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting.

Details

Throughout the source-code analysis, it has been found that the endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting.

The flaw occurs due to implementation of the client-side template engine ejs, specifically on file resetPassword.ts where the template is using the insecure function “<%-“ https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/ui/auth/resetPassword.ts#L71
which is rendered by the function renderPasswordReset: https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/auth.controller.ts#L251

PoC

Send the request below to a vulnerable instance: /api/v1/db/auth/password/reset/asdsad%3C%2F%73%63%72%69%70%74%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E/

Impact

The vulnerability affect end-users, allowing an attacker to craft and send a malicious link to the victim which leads running script on their browser.

Credits

l34k3d ottoboni

6 hours ago

ghsa

Open in Source

#xss #vulnerability #js #git #auth

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

ghsa: Latest News

GHSA-vc29-vg52-6643: DoS Vulnerability in TraceContextPropagator.Extract - OpenTelemetry.Api

2 hours ago

ghsa

GHSA-2cmq-823j-5qj8: Out-of-bounds Write in SixLabors ImageSharp

2 hours ago

ghsa

GHSA-p3fp-8748-vqfq: Django vulnerable to Allocation of Resources Without Limits or Throttling

3 hours ago

ghsa

GHSA-52jx-g6m5-h735: Fleet has SAML authentication vulnerability due to improper SAML response validation

5 hours ago

ghsa

GHSA-mf24-chxh-hmvj: Envoy Gateway Log Injection Vulnerability

5 hours ago

ghsa