GHSA-wf6c-hrhf-86cw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wf6c-hrhf-86cw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-wf6c-hrhf-86cw/GHSA-wf6c-hrhf-86cw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wf6c-hrhf-86cw
- Aliases
- Published
- 2025-03-06T18:52:17Z
- Modified
- 2025-03-06T21:36:42Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- NocoDB Vulnerable to Reflected Cross-Site Scripting on Reset Password Page
- Details
-
Summary
The API endpoint related to the password reset function is vulnerable to Reflected Cross-Site-Scripting.
Details
Throughout the source-code analysis, it has been found that the endpoint /api/v1/db/auth/password/reset/:tokenId is vulnerable to Reflected Cross-Site-Scripting.
The flaw occurs due to implementation of the client-side template engine ejs, specifically on file resetPassword.ts where the template is using the insecure function “<%-“ https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/ui/auth/resetPassword.ts#L71
which is rendered by the function renderPasswordReset: https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/auth.controller.ts#L251PoC
Send the request below to a vulnerable instance:
/api/v1/db/auth/password/reset/asdsad%3C%2F%73%63%72%69%70%74%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E/Impact
The vulnerability affect end-users, allowing an attacker to craft and send a malicious link to the victim which leads running script on their browser.
Credits
- Database specific
{ "github_reviewed_at": "2025-03-06T18:52:17Z", "cwe_ids": [ "CWE-79" ], "nvd_published_at": "2025-03-06T19:15:27Z", "severity": "MODERATE", "github_reviewed": true }- References
-
- https://github.com/nocodb/nocodb/security/advisories/GHSA-wf6c-hrhf-86cw
- https://nvd.nist.gov/vuln/detail/CVE-2025-27506
- https://github.com/nocodb/nocodb/commit/ea821edb133e621e26183ae65c8ff9ee5d6f2723
- https://github.com/nocodb/nocodb
- https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/auth.controller.ts#L251
- https://github.com/nocodb/nocodb/blob/ba5a191b33259d984fc92df225f7d82ede2ddb56/packages/nocodb/src/modules/auth/ui/auth/resetPassword.ts#L71
Affected packages
npm / nocodb
Package
- Name
- nocodb
- View open source insights on deps.dev
- Purl
- pkg:npm/nocodb