js · nocodbHeads-up
NocoDB SQL Injection via Column Title in Bulk GroupBy Endpoint
An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment.
What changed
An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a SQL fragment.
Who it affects
Users of NocoDB with authenticated sessions and column-create or rename permissions.
What to do today
Review and restrict column-create/rename permissions, and apply any available patches or workarounds.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · nocodb