GHSA-jf3g-4gwg-4h66
NocoDB: Stored Cross-Site Scripting via Row Comments
상세
### Summary An authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view.
### Details The comment write paths persisted the raw comment body with no server-side sanitisation; the expanded-form sidebar then rendered the stored body and fed its `data-tooltip` attribute to Tippy with `allowHTML: true`. Even when the editor stripped script tags at write time, attribute-level payloads re-entered the DOM as live HTML on hover.
### Impact Stored Cross-Site Scripting against any user who views the affected row. Script runs in the NocoDB origin with the victim's session and can read the auth JWT from `localStorage`. Authentication and comment permission are required.
### Credit This issue was reported by [@DavidCarliez](https://github.com/DavidCarliez). It was independently reported by [@Mouhebbenelwafi](https://github.com/Mouhebbenelwafi).
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.