GHSA-6xcx-7qmg-vjfq
NocoDB: Reflected Cross-Site Scripting via Password Reset Token
상세
### Summary
The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS `<%= %>` HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and execute attacker-controlled script in the NocoDB origin. Triggering required only that a victim follow a malicious password-reset link.
### Details
The vulnerable template embedded the token as:
```ejs token: '<%= token %>', ```
A token containing `';alert(document.cookie);//` closes the single-quoted string and runs arbitrary JavaScript. The fix moves the token into an HTML attribute (`data-token="…"`) and reads it from `dataset.token` at runtime, so EJS's HTML-entity escaping is sufficient.
### Impact
- Reflected XSS in the NocoDB origin via a phished password-reset URL. - No authentication required to trigger; affects any user who clicks the crafted link. - Same-origin script can read auth state and act on the victim's behalf.
### Credit
This issue was reported by [@fg0x0](https://github.com/fg0x0).
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.