Cross-site Scripting (XSS) - Stored in nocodb/nocodb
अनुवाद हो रहा है…प्लेटफ़ॉर्म
nodejs
घटक
nocodb
में ठीक किया गया
0.91.7
CVE-2022-2022 describes a Cross-Site Scripting (XSS) vulnerability discovered in NocoDB, a self-hosted, open-source Airtable alternative. This stored XSS vulnerability allows attackers to inject malicious scripts into the application, potentially leading to unauthorized code execution and data compromise. The vulnerability affects versions of NocoDB prior to 0.91.7, and a patch has been released to address the issue.
प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…
The impact of this XSS vulnerability is significant. An attacker could inject malicious JavaScript code that executes in the context of other users' browsers. This could be used to steal session cookies, redirect users to phishing sites, or deface the application. Successful exploitation could grant an attacker full control over user accounts and potentially the entire NocoDB instance, depending on the permissions configured. The stored nature of the XSS means the injected script persists until removed, allowing for repeated exploitation without further attacker action. This is particularly concerning in environments where NocoDB is used to manage sensitive data.
शोषण संदर्भअनुवाद हो रहा है…
CVE-2022-2022 was publicly disclosed on June 7, 2022. No public proof-of-concept (PoC) code has been widely reported, but the ease of XSS exploitation suggests a high probability of exploitation if the vulnerability remains unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Given the CRITICAL severity and the widespread use of NocoDB, organizations should prioritize patching.
कौन जोखिम में हैअनुवाद हो रहा है…
Organizations using NocoDB to manage sensitive data, particularly those with publicly accessible instances or those who allow user-generated content within NocoDB, are at significant risk. Shared hosting environments where multiple NocoDB instances reside on the same server are also vulnerable, as a compromise of one instance could potentially lead to lateral movement to others.
पहचान के चरणअनुवाद हो रहा है…
• nodejs / server: Monitor NocoDB application logs for unusual JavaScript execution patterns or error messages related to input validation. Use grep to search for suspicious script tags or event handlers in log files.
grep -i 'script src=' /var/log/nocodb/app.log• generic web: Use curl to test various input fields for XSS vulnerabilities. Check response headers for X-XSS-Protection and Content-Security-Policy headers.
curl -H "X-XSS-Protection: 1" https://your-nocodb-instance.com/search?q='<script>alert(1)</script>हमले की समयरेखा
- Disclosure
disclosure
खतरा खुफिया
एक्सप्लॉइट स्थिति
EPSS
0.41% (62% शतमक)
CVSS वेक्टर
इन मेट्रिक्स का क्या मतलब है?
- Attack Vector
- नेटवर्क — इंटरनेट के माध्यम से दूरस्थ रूप से शोषण योग्य। कोई भौतिक या स्थानीय पहुंच आवश्यक नहीं।
- Attack Complexity
- निम्न — कोई विशेष शर्त नहीं। विश्वसनीय रूप से शोषण योग्य।
- Privileges Required
- निम्न — कोई भी वैध उपयोगकर्ता खाता पर्याप्त है।
- User Interaction
- आवश्यक — पीड़ित को फ़ाइल खोलनी, लिंक पर क्लिक करना या पेज पर जाना होगा।
- Scope
- बदला हुआ — हमला कमज़ोर घटक से परे अन्य प्रणालियों तक फैल सकता है।
- Confidentiality
- उच्च — पूर्ण गोपनीयता हानि। हमलावर सभी डेटा पढ़ सकता है।
- Integrity
- उच्च — हमलावर कोई भी डेटा लिख, बदल या हटा सकता है।
- Availability
- उच्च — पूर्ण क्रैश या संसाधन समाप्ति। पूर्ण सेवा से इनकार।
प्रभावित सॉफ्टवेयर
कमजोरी वर्गीकरण (CWE)
समयरेखा
- आरक्षित
- प्रकाशित
- संशोधित
- EPSS अद्यतन
शमन और वर्कअराउंडअनुवाद हो रहा है…
The primary mitigation for CVE-2022-2022 is to immediately upgrade NocoDB to version 0.91.7 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all user-supplied data within NocoDB. While not a complete solution, a Web Application Firewall (WAF) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review NocoDB's access control lists and ensure users have only the necessary permissions to perform their tasks. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through a user input field and verifying it is properly sanitized.
कैसे ठीक करेंअनुवाद हो रहा है…
Actualice NocoDB a la versión 0.91.7 o superior. Esta versión contiene una corrección para la vulnerabilidad de Cross-Site Scripting (XSS) almacenado. La actualización se puede realizar a través del panel de administración o siguiendo las instrucciones de actualización proporcionadas por NocoDB.
CVE सुरक्षा न्यूज़लेटर
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…
What is CVE-2022-2022 — XSS in NocoDB?
CVE-2022-2022 is a CRITICAL Cross-Site Scripting (XSS) vulnerability affecting NocoDB versions prior to 0.91.7, allowing attackers to inject malicious scripts.
Am I affected by CVE-2022-2022 in NocoDB?
If you are using NocoDB version 0.91.7 or earlier, you are vulnerable to this XSS attack. Check your version and upgrade immediately.
How do I fix CVE-2022-2022 in NocoDB?
Upgrade NocoDB to version 0.91.7 or later to resolve this vulnerability. Consider implementing input validation and WAF rules as additional security measures.
Is CVE-2022-2022 being actively exploited?
While no widespread exploitation has been confirmed, the ease of XSS exploitation suggests a high probability of exploitation if the vulnerability remains unpatched.
Where can I find the official NocoDB advisory for CVE-2022-2022?
Refer to the NocoDB GitHub repository for the latest security advisories and updates: https://github.com/nocodb/nocodb/security/advisories/GHSA-5g9x-c67r-979r
क्या आपका प्रोजेक्ट प्रभावित है?
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।