Cross-site Scripting (XSS) - Stored in nocodb/nocodb
traduction en cours…Plateforme
nodejs
Composant
nocodb
Corrigé dans
0.91.7
CVE-2022-2022 describes a Cross-Site Scripting (XSS) vulnerability discovered in NocoDB, a self-hosted, open-source Airtable alternative. This stored XSS vulnerability allows attackers to inject malicious scripts into the application, potentially leading to unauthorized code execution and data compromise. The vulnerability affects versions of NocoDB prior to 0.91.7, and a patch has been released to address the issue.
Impact et Scénarios d'Attaquetraduction en cours…
The impact of this XSS vulnerability is significant. An attacker could inject malicious JavaScript code that executes in the context of other users' browsers. This could be used to steal session cookies, redirect users to phishing sites, or deface the application. Successful exploitation could grant an attacker full control over user accounts and potentially the entire NocoDB instance, depending on the permissions configured. The stored nature of the XSS means the injected script persists until removed, allowing for repeated exploitation without further attacker action. This is particularly concerning in environments where NocoDB is used to manage sensitive data.
Contexte d'Exploitationtraduction en cours…
CVE-2022-2022 was publicly disclosed on June 7, 2022. No public proof-of-concept (PoC) code has been widely reported, but the ease of XSS exploitation suggests a high probability of exploitation if the vulnerability remains unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Given the CRITICAL severity and the widespread use of NocoDB, organizations should prioritize patching.
Qui Est à Risquetraduction en cours…
Organizations using NocoDB to manage sensitive data, particularly those with publicly accessible instances or those who allow user-generated content within NocoDB, are at significant risk. Shared hosting environments where multiple NocoDB instances reside on the same server are also vulnerable, as a compromise of one instance could potentially lead to lateral movement to others.
Étapes de Détectiontraduction en cours…
• nodejs / server: Monitor NocoDB application logs for unusual JavaScript execution patterns or error messages related to input validation. Use grep to search for suspicious script tags or event handlers in log files.
grep -i 'script src=' /var/log/nocodb/app.log• generic web: Use curl to test various input fields for XSS vulnerabilities. Check response headers for X-XSS-Protection and Content-Security-Policy headers.
curl -H "X-XSS-Protection: 1" https://your-nocodb-instance.com/search?q='<script>alert(1)</script>Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.41% (percentile 62%)
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
- Scope
- Modifié — l'attaque peut pivoter au-delà du composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2022-2022 is to immediately upgrade NocoDB to version 0.91.7 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all user-supplied data within NocoDB. While not a complete solution, a Web Application Firewall (WAF) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review NocoDB's access control lists and ensure users have only the necessary permissions to perform their tasks. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through a user input field and verifying it is properly sanitized.
Comment corrigertraduction en cours…
Actualice NocoDB a la versión 0.91.7 o superior. Esta versión contiene una corrección para la vulnerabilidad de Cross-Site Scripting (XSS) almacenado. La actualización se puede realizar a través del panel de administración o siguiendo las instrucciones de actualización proporcionadas por NocoDB.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2022-2022 — XSS in NocoDB?
CVE-2022-2022 is a CRITICAL Cross-Site Scripting (XSS) vulnerability affecting NocoDB versions prior to 0.91.7, allowing attackers to inject malicious scripts.
Am I affected by CVE-2022-2022 in NocoDB?
If you are using NocoDB version 0.91.7 or earlier, you are vulnerable to this XSS attack. Check your version and upgrade immediately.
How do I fix CVE-2022-2022 in NocoDB?
Upgrade NocoDB to version 0.91.7 or later to resolve this vulnerability. Consider implementing input validation and WAF rules as additional security measures.
Is CVE-2022-2022 being actively exploited?
While no widespread exploitation has been confirmed, the ease of XSS exploitation suggests a high probability of exploitation if the vulnerability remains unpatched.
Where can I find the official NocoDB advisory for CVE-2022-2022?
Refer to the NocoDB GitHub repository for the latest security advisories and updates: https://github.com/nocodb/nocodb/security/advisories/GHSA-5g9x-c67r-979r
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.