0.91.7
CVE-2022-2022 describes a Cross-Site Scripting (XSS) vulnerability discovered in NocoDB, a self-hosted, open-source Airtable alternative. This stored XSS vulnerability allows attackers to inject malicious scripts into the application, potentially leading to unauthorized code execution and data compromise. The vulnerability affects versions of NocoDB prior to 0.91.7, and a patch has been released to address the issue.
The impact of this XSS vulnerability is significant. An attacker could inject malicious JavaScript code that executes in the context of other users' browsers. This could be used to steal session cookies, redirect users to phishing sites, or deface the application. Successful exploitation could grant an attacker full control over user accounts and potentially the entire NocoDB instance, depending on the permissions configured. The stored nature of the XSS means the injected script persists until removed, allowing for repeated exploitation without further attacker action. This is particularly concerning in environments where NocoDB is used to manage sensitive data.
CVE-2022-2022 was publicly disclosed on June 7, 2022. No public proof-of-concept (PoC) code has been widely reported, but the ease of XSS exploitation suggests a high probability of exploitation if the vulnerability remains unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Given the CRITICAL severity and the widespread use of NocoDB, organizations should prioritize patching.
Exploit Status
EPSS
0.41% (62% percentile)
CVSS Vector
The primary mitigation for CVE-2022-2022 is to immediately upgrade NocoDB to version 0.91.7 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all user-supplied data within NocoDB. While not a complete solution, a Web Application Firewall (WAF) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review NocoDB's access control lists and ensure users have only the necessary permissions to perform their tasks. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through a user input field and verifying it is properly sanitized.
Actualice NocoDB a la versión 0.91.7 o superior. Esta versión contiene una corrección para la vulnerabilidad de Cross-Site Scripting (XSS) almacenado. La actualización se puede realizar a través del panel de administración o siguiendo las instrucciones de actualización proporcionadas por NocoDB.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-2022 is a CRITICAL Cross-Site Scripting (XSS) vulnerability affecting NocoDB versions prior to 0.91.7, allowing attackers to inject malicious scripts.
If you are using NocoDB version 0.91.7 or earlier, you are vulnerable to this XSS attack. Check your version and upgrade immediately.
Upgrade NocoDB to version 0.91.7 or later to resolve this vulnerability. Consider implementing input validation and WAF rules as additional security measures.
While no widespread exploitation has been confirmed, the ease of XSS exploitation suggests a high probability of exploitation if the vulnerability remains unpatched.
Refer to the NocoDB GitHub repository for the latest security advisories and updates: https://github.com/nocodb/nocodb/security/advisories/GHSA-5g9x-c67r-979r
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.