CVE-2022-22121

NocoDB - CSV Injection in User Management

CVSS 8 HIGHEPSS 1.2%CWE-1236

In short

NocoDB allows attackers to inject malicious code into CSV files through table data. When an admin exports and opens the file in a spreadsheet application, the code executes automatically, potentially compromising the admin's system.

Technical detail

CSV injection vulnerability in NocoDB 0.81.0–0.83.8 allows low-privileged users to inject formula payloads into table rows. When administrators export user management data as CSV and open it in spreadsheet applications, the formulas execute with admin privileges, enabling arbitrary code execution or data exfiltration.

Summary generated and translated by AI from the official description.

In NocoDB, versions 0.81.0 through 0.83.8 are affected by CSV Injection vulnerability (Formula Injection). A low privileged attacker can create a new table to inject payloads in the table rows. When an administrator accesses the User Management endpoint and exports the data as a CSV file and opens it, the payload gets executed.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Affected products

nocodb · nocodb

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/nocodb/nocodb/commit/079e3abe https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22121