CVE-2023-50718
NocoDB SQL Injection vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
NocoDB is software for building databases as spreadsheets. Prior to version 0.202.10, an authenticated attacker with create access could conduct a SQL Injection attack on MySQL DB using unescaped `table_name`. This vulnerability may result in leakage of sensitive data in the database. Version 0.202.10 contains a patch for the issue.
NocoDB es un software para crear bases de datos como hojas de cálculo. Antes de la versión 0.202.10, un atacante autenticado con acceso de creación podía realizar un ataque de inyección SQL en una base de datos MySQL utilizando `table_name` sin escape. Esta vulnerabilidad puede provocar la fuga de datos confidenciales en la base de datos. La versión 0.202.10 contiene un parche para el problema.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2023-12-11 CVE Reserved
- 2024-05-13 CVE Published
- 2024-05-14 EPSS Updated
- 2024-08-21 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (1)
URL | Tag | Source |
---|---|---|
https://github.com/nocodb/nocodb/security/advisories/GHSA-8fxg-mr34-jqr8 | X_refsource_confirm |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Nocodb Search vendor "Nocodb" | Nocodb Search vendor "Nocodb" for product "Nocodb" | < 0.202.10 Search vendor "Nocodb" for product "Nocodb" and version " < 0.202.10" | en |
Affected
|