GHSA-9qgr-6vpg-9gh9
NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL
Details
### Summary A reflected XSS vulnerability exists in the Page Leaving Warning page. The `ncRedirectUrl` and `ncBackUrl` query parameters are used in `window.location.href` and `<a>` tag bindings without validation, allowing `javascript:` URI injection.
### Details `PageLeavingWarning.vue` reads `ncRedirectUrl` and `ncBackUrl` directly from the route query without validation. When `isSameOriginUrl()` returns `false` (as it does for `javascript:` URIs), the raw URL is assigned to `window.location.href`, executing arbitrary JavaScript. The redirect URL is also bound directly to an `<a>` tag's `href` attribute.
### Impact An attacker can execute arbitrary JavaScript in the context of the NocoDB application by sending a crafted link to a victim. No authentication is required.
### Credit This issue was reported by [@naoyashiga](https://github.com/naoyashiga).
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for nocodb (npm). Pin to a known-safe version or switch to an alternative.