Cross-site Scripting (XSS) - Stored in nocodb/nocodb
wordt vertaald…Platform
nodejs
Component
nocodb
Opgelost in
0.91.7
CVE-2022-2022 describes a Cross-Site Scripting (XSS) vulnerability discovered in NocoDB, a self-hosted, open-source Airtable alternative. This stored XSS vulnerability allows attackers to inject malicious scripts into the application, potentially leading to unauthorized code execution and data compromise. The vulnerability affects versions of NocoDB prior to 0.91.7, and a patch has been released to address the issue.
Impact en Aanvalsscenarioswordt vertaald…
The impact of this XSS vulnerability is significant. An attacker could inject malicious JavaScript code that executes in the context of other users' browsers. This could be used to steal session cookies, redirect users to phishing sites, or deface the application. Successful exploitation could grant an attacker full control over user accounts and potentially the entire NocoDB instance, depending on the permissions configured. The stored nature of the XSS means the injected script persists until removed, allowing for repeated exploitation without further attacker action. This is particularly concerning in environments where NocoDB is used to manage sensitive data.
Uitbuitingscontextwordt vertaald…
CVE-2022-2022 was publicly disclosed on June 7, 2022. No public proof-of-concept (PoC) code has been widely reported, but the ease of XSS exploitation suggests a high probability of exploitation if the vulnerability remains unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Given the CRITICAL severity and the widespread use of NocoDB, organizations should prioritize patching.
Wie Loopt Risicowordt vertaald…
Organizations using NocoDB to manage sensitive data, particularly those with publicly accessible instances or those who allow user-generated content within NocoDB, are at significant risk. Shared hosting environments where multiple NocoDB instances reside on the same server are also vulnerable, as a compromise of one instance could potentially lead to lateral movement to others.
Detectiestappenwordt vertaald…
• nodejs / server: Monitor NocoDB application logs for unusual JavaScript execution patterns or error messages related to input validation. Use grep to search for suspicious script tags or event handlers in log files.
grep -i 'script src=' /var/log/nocodb/app.log• generic web: Use curl to test various input fields for XSS vulnerabilities. Check response headers for X-XSS-Protection and Content-Security-Policy headers.
curl -H "X-XSS-Protection: 1" https://your-nocodb-instance.com/search?q='<script>alert(1)</script>Aanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.41% (62% percentiel)
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Laag — elk geldig gebruikersaccount is voldoende.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2022-2022 is to immediately upgrade NocoDB to version 0.91.7 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all user-supplied data within NocoDB. While not a complete solution, a Web Application Firewall (WAF) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review NocoDB's access control lists and ensure users have only the necessary permissions to perform their tasks. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through a user input field and verifying it is properly sanitized.
Hoe te verhelpenwordt vertaald…
Actualice NocoDB a la versión 0.91.7 o superior. Esta versión contiene una corrección para la vulnerabilidad de Cross-Site Scripting (XSS) almacenado. La actualización se puede realizar a través del panel de administración o siguiendo las instrucciones de actualización proporcionadas por NocoDB.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2022-2022 — XSS in NocoDB?
CVE-2022-2022 is a CRITICAL Cross-Site Scripting (XSS) vulnerability affecting NocoDB versions prior to 0.91.7, allowing attackers to inject malicious scripts.
Am I affected by CVE-2022-2022 in NocoDB?
If you are using NocoDB version 0.91.7 or earlier, you are vulnerable to this XSS attack. Check your version and upgrade immediately.
How do I fix CVE-2022-2022 in NocoDB?
Upgrade NocoDB to version 0.91.7 or later to resolve this vulnerability. Consider implementing input validation and WAF rules as additional security measures.
Is CVE-2022-2022 being actively exploited?
While no widespread exploitation has been confirmed, the ease of XSS exploitation suggests a high probability of exploitation if the vulnerability remains unpatched.
Where can I find the official NocoDB advisory for CVE-2022-2022?
Refer to the NocoDB GitHub repository for the latest security advisories and updates: https://github.com/nocodb/nocodb/security/advisories/GHSA-5g9x-c67r-979r
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.