js · nocodbHeads-up
NocoDB: Reflected XSS in password-reset page via unescaped URL token
The password-reset page in NocoDB had a reflected XSS vulnerability where the URL token was embedded directly into a JavaScript string literal in an EJS template without proper escaping.
What changed
The password-reset page in NocoDB had a reflected XSS vulnerability where the URL token was embedded directly into a JavaScript string literal in an EJS template without proper escaping. The fix moves the token into an HTML attribute and reads it via dataset.token at runtime.
Who it affects
Any user who clicks a malicious password-reset link; no authentication required.
What to do today
Update NocoDB to the patched version that escapes the token in the password-reset template.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · nocodb