CVE-2022-2063 – Improper Privilege Management in nocodb/nocodb
https://notcve.org/view.php?id=CVE-2022-2063
Improper Privilege Management in GitHub repository nocodb/nocodb prior to 0.91.7+. Una Administración inapropiada de Privilegios en el repositorio de GitHub nocodb/nocodb versiones anteriores a 0.91.7+ • https://github.com/nocodb/nocodb/commit/269a19c2ad89a0e8a7596498e3806ff2ec1040c2 https://huntr.dev/bounties/156f405b-21d6-4384-9bff-17ebfe484e20 • CWE-269: Improper Privilege Management •
CVE-2022-2062 – Generation of Error Message Containing Sensitive Information in nocodb/nocodb
https://notcve.org/view.php?id=CVE-2022-2062
Generation of Error Message Containing Sensitive Information in GitHub repository nocodb/nocodb prior to 0.91.7+. Una Exposición de Información Confidencial a un Actor no Autorizado en el repositorio de GitHub nocodb/nocodb versiones anteriores a 0.91.7+ • https://github.com/nocodb/nocodb/commit/a18f5dd53811b9ec1c1bb2fdbfb328c0c87d7fb4 https://huntr.dev/bounties/35593b4c-f127-4699-8ad3-f0b2203a8ef6 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2022-2022 – Cross-site Scripting (XSS) - Stored in nocodb/nocodb
https://notcve.org/view.php?id=CVE-2022-2022
Cross-site Scripting (XSS) - Stored in GitHub repository nocodb/nocodb prior to 0.91.7. Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Almacenado en el repositorio GitHub nocodb/nocodb versiones anteriores a 0.91.7 • https://github.com/nocodb/nocodb/commit/ffad5a318ad60d1da1c75dd28152827b94c92e9d https://huntr.dev/bounties/f6082949-40d3-411c-b613-23ada2691913 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-22121 – NocoDB - CSV Injection in User Management
https://notcve.org/view.php?id=CVE-2022-22121
In NocoDB, versions 0.81.0 through 0.83.8 are affected by CSV Injection vulnerability (Formula Injection). A low privileged attacker can create a new table to inject payloads in the table rows. When an administrator accesses the User Management endpoint and exports the data as a CSV file and opens it, the payload gets executed. En NocoDB, versiones 0.81.0 hasta 0.83.8, están afectadas por una vulnerabilidad de Inyección CSV (inyección de fórmulas). Un atacante con pocos privilegios puede crear una nueva tabla para inyectar cargas útiles en las filas de la tabla. • https://github.com/nocodb/nocodb/commit/079e3abe https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22121 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVE-2022-22120 – NocoDB - Observable Discrepancy in the password-reset feature
https://notcve.org/view.php?id=CVE-2022-22120
In NocoDB, versions 0.9 to 0.83.8 are vulnerable to Observable Discrepancy in the password-reset feature. When requesting a password reset for a given email address, the application displays an error message when the email isn't registered within the system. This allows attackers to enumerate the registered users' email addresses. En NocoDB, versiones 0.9 a 0.83.8, son vulnerables a una Discrepancia Observable en la funcionalidad password-reset. Cuando es solicitado un restablecimiento de contraseña para una dirección de correo electrónico determinada, la aplicación muestra un mensaje de error cuando el correo electrónico no está registrado en el sistema. • https://github.com/nocodb/nocodb/commit/f46e89b0 https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22120 • CWE-203: Observable Discrepancy •