VYPR
← All advisories
High severityNVD Advisory· Published May 13, 2024· Updated Aug 2, 2024

NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue

CVE-2023-49781

Description

NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged. This vulnerability is fixed in 0.202.9.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nocodbnpm
< 0.202.90.202.9

Affected products

1

Patches

1
7f58ce3726df

fix: sanitise formula text before rendering

https://github.com/nocodb/nocodbPranav CNov 22, 2023via ghsa
commit
1 file changed · +8 1
  • packages/nc-gui/utils/urlUtils.ts+8 1 modified
    @@ -6,8 +6,15 @@ export const replaceUrlsWithLink = (text: string): boolean | string => {
   }
 
   const rawText = text.toString()
+
+  // create a temporary element to sanitise the string
+  // by encoding any html code
+  const tempEl = document.createElement('div')
+  tempEl.textContent = rawText
+  const sanitisedText = tempEl.innerHTML
+
   let found = false
-  const out = rawText.replace(/URI::\((.*?)\)/g, (_, url) => {
+  const out = sanitisedText.replace(/URI::\((.*?)\)/g, (_, url) => {
     found = true
     const a = document.createElement('a')
     a.textContent = url

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.