CVE-2023-35843
https://notcve.org/view.php?id=CVE-2023-35843
NocoDB through 0.106.0 (or 0.109.1) has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files and data on the server, including configuration files, source code, and other sensitive information. • https://github.com/Lserein/CVE-2023-35843 https://github.com/b3nguang/CVE-2023-35843 https://advisory.dw1.io/60 https://github.com/nocodb/nocodb/blob/6decfa2b20c28db9946bddce0bcb1442b683ecae/packages/nocodb/src/lib/controllers/attachment.ctl.ts#L62-L74 https://github.com/nocodb/nocodb/blob/f7ee7e3beb91d313a159895d1edc1aba9d91b0bc/packages/nocodb/src/controllers/attachments.controller.ts#L55-L66 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2022-3423 – Allocation of Resources Without Limits or Throttling in nocodb/nocodb
https://notcve.org/view.php?id=CVE-2022-3423
Allocation of Resources Without Limits or Throttling in GitHub repository nocodb/nocodb prior to 0.92.0. Una Denegación de Servicio en el repositorio de GitHub nocodb/nocodb versiones anteriores a 0.92.0 • https://github.com/nocodb/nocodb/commit/000ecd886738b965b5997cd905825e3244f48b95 https://huntr.dev/bounties/94639d8e-8301-4432-ab80-e76e1346e631 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2022-2339 – Server-Side Request Forgery (SSRF) in nocodb/nocodb
https://notcve.org/view.php?id=CVE-2022-2339
With this SSRF vulnerability, an attacker can reach internal addresses to make a request as the server and read it's contents. This attack can lead to leak of sensitive information. Con esta vulnerabilidad de tipo SSRF, un atacante puede llegar a direcciones internas para hacer una petición como el servidor y leer su contenido. Este ataque puede conllevar a una filtrado de información confidencial • https://github.com/nocodb/nocodb/commit/000ecd886738b965b5997cd905825e3244f48b95 https://huntr.dev/bounties/fff06de8-2a82-49b1-8e81-968731e87eef • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-2079 – Cross-site Scripting (XSS) - Stored in nocodb/nocodb
https://notcve.org/view.php?id=CVE-2022-2079
Cross-site Scripting (XSS) - Stored in GitHub repository nocodb/nocodb prior to 0.91.7+. Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Almacenado en el repositorio GitHub nocodb/nocodb versiones anteriores a 0.91.7+ • https://github.com/nocodb/nocodb/commit/362f8f0869989bc13bdcd66c6fc9c86ac79b9992 https://huntr.dev/bounties/2615adf2-ff40-4623-97fb-2e4a3800202a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-2064 – Insufficient Session Expiration in nocodb/nocodb
https://notcve.org/view.php?id=CVE-2022-2064
Insufficient Session Expiration in GitHub repository nocodb/nocodb prior to 0.91.7+. Una Expiración de Sesión Insuficiente en el repositorio de GitHub nocodb/nocodb versiones anteriores a 0.91.7+ • https://github.com/nocodb/nocodb/commit/c9b5111b25aea2781e19395a8e9107ddbd235a2b https://huntr.dev/bounties/39523d51-fc5c-48b8-a082-171da79761bb • CWE-613: Insufficient Session Expiration •