{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49781", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-30T13:39:50.861Z", "datePublished": "2024-05-13T18:54:54.196Z", "dateUpdated": "2024-08-02T22:01:25.824Z"}, "containers": {"cna": {"title": "NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h"}, {"name": "https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574", "tags": ["x_refsource_MISC"], "url": "https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574"}], "affected": [{"vendor": "nocodb", "product": "nocodb", "versions": [{"version": "< 0.202.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-13T18:54:54.196Z"}, "descriptions": [{"lang": "en", "value": "NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of \"urls\" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged. This vulnerability is fixed in 0.202.9.\n"}], "source": {"advisory": "GHSA-h6r4-xvw6-jc5h", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-49781", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-13T19:49:05.633322Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*"], "vendor": "nocodb", "product": "nocodb", "versions": [{"status": "affected", "version": "*"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:27:51.204Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:01:25.824Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h"}, {"name": "https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h", "name": "https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574", "name": "https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:01:25.824Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-49781", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-13T19:49:05.633322Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*"], "vendor": "nocodb", "product": "nocodb", "versions": [{"status": "affected", "version": "*"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-13T19:49:58.658Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue", "source": {"advisory": "GHSA-h6r4-xvw6-jc5h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nocodb", "product": "nocodb", "versions": [{"status": "affected", "version": "< 0.202.9"}]}], "references": [{"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h", "name": "https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574", "name": "https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of \"urls\" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged. This vulnerability is fixed in 0.202.9.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-13T18:54:54.196Z"}}}, "cveMetadata": {"cveId": "CVE-2023-49781", "state": "PUBLISHED", "dateUpdated": "2024-08-02T22:01:25.824Z", "dateReserved": "2023-11-30T13:39:50.861Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-13T18:54:54.196Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*", "matchCriteriaId": "D33CF79A-1205-4967-8D38-120B9541F9F5", "versionEndExcluding": "0.202.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of \"urls\" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged. This vulnerability is fixed in 0.202.9.\n"}, {"lang": "es", "value": "NocoDB es un software para crear bases de datos como hojas de c\u00e1lculo. Antes de 0.202.9, exist\u00eda una vulnerabilidad de Cross Site Scripting almacenado dentro de la funcionalidad de comentarios de celda virtual de F\u00f3rmula. El nc-gui/components/virtual-cell/Formula.vue muestra una etiqueta v-html con el valor de \"urls\" cuyo contenido es procesado por la funci\u00f3n replaceUrlsWithLink(). Esta funci\u00f3n reconoce el patr\u00f3n URI::(XXX) y crea una etiqueta de hiperv\u00ednculo <a rel=\"nofollow\"> con href=XXX. Sin embargo, deja todos los dem\u00e1s contenidos fuera del patr\u00f3n URI::(XXX) sin cambios. Esta vulnerabilidad est\u00e1 solucionada en 0.202.9.</a>"}], "id": "CVE-2023-49781", "lastModified": "2025-08-26T18:52:39.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-05-14T14:06:05.637", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-07-12T16:01:18.079138+00:00", "updated": "2025-07-12T16:01:18.079186+00:00", "vendors": ["nocodb", "nocodb$PRODUCT$nocodb"]}