CVE-2022-2079 in NocoDB
Summary
by MITRE • 06/14/2022
Cross-site Scripting (XSS) - Stored in GitHub repository nocodb/nocodb prior to 0.91.7+.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/26/2025
The vulnerability identified as CVE-2022-2079 represents a stored cross-site scripting flaw within the nocodb repository management system, affecting versions prior to 0.91.7. This issue arises from inadequate input validation and output sanitization mechanisms within the application's data handling processes. The vulnerability allows authenticated attackers with write privileges to inject malicious scripts into the system's database, which subsequently executes in the context of other users' browsers when they view affected content. The flaw specifically manifests when user-supplied data containing malicious script code is stored in the database and later retrieved for display without proper sanitization. This stored XSS vulnerability falls under CWE-79 which categorizes improper neutralization of input during web page generation, making it particularly dangerous as the malicious payloads persist and can affect multiple users over time. The attack vector requires an authenticated user with sufficient privileges to modify repository content, which aligns with ATT&CK technique T1059.007 for command and scripting interpreter and T1566.001 for credential access through social engineering.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to escalate privileges, steal session cookies, perform unauthorized actions on behalf of victims, and potentially access sensitive repository data. When exploited, the malicious scripts can establish persistent backdoors, redirect users to phishing sites, or exfiltrate confidential information from the repository environment. The stored nature of the vulnerability means that once injected, the malicious code remains active until manually removed, creating a long-term security risk for all users who interact with the affected repository content. The vulnerability affects the core functionality of the nocodb system where user-generated content is stored and displayed, making it a critical concern for organizations relying on this repository management solution for data storage and collaboration.
Mitigation strategies for CVE-2022-2079 should prioritize immediate patching to version 0.91.7 or later, which includes proper input validation and output sanitization mechanisms. Organizations should implement comprehensive input filtering that strips or encodes potentially dangerous characters and sequences before storing user data in the database. The system should employ context-aware output encoding for all data displayed in web interfaces, ensuring that any stored content is properly escaped before rendering. Additionally, organizations should enforce the principle of least privilege, limiting write access to repository content to only trusted users and implementing regular security audits of stored data. Network segmentation and monitoring solutions should be deployed to detect anomalous script injection patterns, while security awareness training for developers can help prevent similar vulnerabilities in future code implementations. The fix implemented in version 0.91.7 demonstrates proper application of security controls including input validation, output encoding, and secure coding practices that align with OWASP Top Ten security recommendations for preventing XSS vulnerabilities.