SB2024051365 - Multiple vulnerabilities in NocoDB

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Arbitrary file upload (CVE-ID: CVE-2023-50717)

The vulnerability allows a remote user to execute arbitrary JavaScript code in the context of the user viewing a uploaded file.

The vulnerability exists due to unrestricted upload of file with dangerous type in the attachment file upload and preview functionality when handling uploaded HTML files. A remote user can upload a specially crafted HTML file and cause script execution when a user opens the file in a browser to execute arbitrary JavaScript code in the context of the user viewing a uploaded file.

User interaction is required to open the crafted file in a browser.

2) SQL injection (CVE-ID: CVE-2023-50718)

The vulnerability allows a remote user to disclose sensitive information and modify data.

The vulnerability exists due to improper neutralization of special elements used in an sql command in VitessClient.ts when processing a user-supplied table name for MySQL queries. A remote privileged user can send a specially crafted table name to disclose sensitive information and modify data.

Create access is required for exploitation.

Remediation

Install update from vendor's website.

References

• https://github.com/nocodb/nocodb/security/advisories/GHSA-qg73-g3cf-vhhh
• https://github.com/nocodb/nocodb/security/advisories/GHSA-8fxg-mr34-jqr8
• https://github.com/advisories/GHSA-8fxg-mr34-jqr8