CVE-2023-49781

NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged. This vulnerability is fixed in 0.202.9.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.1 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574	Patch
https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h	Exploit Vendor Advisory
https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574	Patch
https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*

History

26 Aug 2025, 18:52

Type	Values Removed	Values Added
First Time		Nocodb Nocodb nocodb
CPE	cpe:2.3:a:xgenecloud:nocodb::::::::	cpe:2.3:a:nocodb:nocodb::::::::

21 Aug 2025, 16:56

Type	Values Removed	Values Added
CPE		cpe:2.3:a:xgenecloud:nocodb::::::::
References	~~() https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574 -~~	() https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574 - Patch
References	~~() https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h -~~	() https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h - Exploit, Vendor Advisory
First Time		Xgenecloud Xgenecloud nocodb

Information

Published : 2024-05-14 14:06

Updated : 2025-08-26 18:52

NVD link : CVE-2023-49781

Mitre link : CVE-2023-49781

CVE.ORG link : CVE-2023-49781

JSON object : View

Products Affected

nocodb

nocodb

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-49781", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.3}]}, "published": "2024-05-14T14:06:05.637", "references": [{"url": "https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nocodb/nocodb/commit/7f58ce3726dfec71537d8b80474a0f95a48a1574", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-h6r4-xvw6-jc5h", "tags": ["Exploit", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "NocoDB is software for building databases as spreadsheets. Prior to 0.202.9, a stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of \"urls\" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged. This vulnerability is fixed in 0.202.9.\n"}, {"lang": "es", "value": "NocoDB es un software para crear bases de datos como hojas de c\u00e1lculo. Antes de 0.202.9, exist\u00eda una vulnerabilidad de Cross Site Scripting almacenado dentro de la funcionalidad de comentarios de celda virtual de F\u00f3rmula. El nc-gui/components/virtual-cell/Formula.vue muestra una etiqueta v-html con el valor de \"urls\" cuyo contenido es procesado por la funci\u00f3n replaceUrlsWithLink(). Esta funci\u00f3n reconoce el patr\u00f3n URI::(XXX) y crea una etiqueta de hiperv\u00ednculo <a rel=\"nofollow\"> con href=XXX. Sin embargo, deja todos los dem\u00e1s contenidos fuera del patr\u00f3n URI::(XXX) sin cambios. Esta vulnerabilidad est\u00e1 solucionada en 0.202.9.</a>"}], "lastModified": "2025-08-26T18:52:39.560", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nocodb:nocodb:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D33CF79A-1205-4967-8D38-120B9541F9F5", "versionEndExcluding": "0.202.9"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}