Plattform
nodejs
Komponente
nocodb
Behoben in
0.91.7
CVE-2022-2022 describes a Cross-Site Scripting (XSS) vulnerability discovered in NocoDB, a self-hosted, open-source Airtable alternative. This stored XSS vulnerability allows attackers to inject malicious scripts into the application, potentially leading to unauthorized code execution and data compromise. The vulnerability affects versions of NocoDB prior to 0.91.7, and a patch has been released to address the issue.
The impact of this XSS vulnerability is significant. An attacker could inject malicious JavaScript code that executes in the context of other users' browsers. This could be used to steal session cookies, redirect users to phishing sites, or deface the application. Successful exploitation could grant an attacker full control over user accounts and potentially the entire NocoDB instance, depending on the permissions configured. The stored nature of the XSS means the injected script persists until removed, allowing for repeated exploitation without further attacker action. This is particularly concerning in environments where NocoDB is used to manage sensitive data.
CVE-2022-2022 was publicly disclosed on June 7, 2022. No public proof-of-concept (PoC) code has been widely reported, but the ease of XSS exploitation suggests a high probability of exploitation if the vulnerability remains unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Given the CRITICAL severity and the widespread use of NocoDB, organizations should prioritize patching.
Organizations using NocoDB to manage sensitive data, particularly those with publicly accessible instances or those who allow user-generated content within NocoDB, are at significant risk. Shared hosting environments where multiple NocoDB instances reside on the same server are also vulnerable, as a compromise of one instance could potentially lead to lateral movement to others.
• nodejs / server: Monitor NocoDB application logs for unusual JavaScript execution patterns or error messages related to input validation. Use grep to search for suspicious script tags or event handlers in log files.
grep -i 'script src=' /var/log/nocodb/app.log• generic web: Use curl to test various input fields for XSS vulnerabilities. Check response headers for X-XSS-Protection and Content-Security-Policy headers.
curl -H "X-XSS-Protection: 1" https://your-nocodb-instance.com/search?q='<script>alert(1)</script>disclosure
Exploit-Status
EPSS
0.41% (62% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2022-2022 is to immediately upgrade NocoDB to version 0.91.7 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all user-supplied data within NocoDB. While not a complete solution, a Web Application Firewall (WAF) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review NocoDB's access control lists and ensure users have only the necessary permissions to perform their tasks. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through a user input field and verifying it is properly sanitized.
Actualice NocoDB a la versión 0.91.7 o superior. Esta versión contiene una corrección para la vulnerabilidad de Cross-Site Scripting (XSS) almacenado. La actualización se puede realizar a través del panel de administración o siguiendo las instrucciones de actualización proporcionadas por NocoDB.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2022-2022 is a CRITICAL Cross-Site Scripting (XSS) vulnerability affecting NocoDB versions prior to 0.91.7, allowing attackers to inject malicious scripts.
If you are using NocoDB version 0.91.7 or earlier, you are vulnerable to this XSS attack. Check your version and upgrade immediately.
Upgrade NocoDB to version 0.91.7 or later to resolve this vulnerability. Consider implementing input validation and WAF rules as additional security measures.
While no widespread exploitation has been confirmed, the ease of XSS exploitation suggests a high probability of exploitation if the vulnerability remains unpatched.
Refer to the NocoDB GitHub repository for the latest security advisories and updates: https://github.com/nocodb/nocodb/security/advisories/GHSA-5g9x-c67r-979r
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.