Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID? What is an MSC vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: January 10, 2022
OverviewIn NocoDB, versions 0.9 to 0.83.8 are vulnerable to Observable Discrepancy in the password-reset feature. When requesting a password reset for a given email address, the application displays an error message when the email isn't registered within the system. This allows attackers to enumerate the registered users' email addresses.
DetailsNocoDB password-reset feature displays an error message when an email doesn’t exist in the application. This allows attackers to enumerate the registered users' email addresses.
PoC DetailsSign up to the NocoDB application with your email address, then logout and go to the reset password page.
Enter the email address that you registered with and you should see the system replies with a success message which indicates that the email address exists, try again with some random email and you should get a message showing that the user does not exist.
Affected Environments0.9 to 0.83.8
PreventionUpdate to version 0.84.0 or later
Good to know:
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||None|
|User Interaction (UI):||None|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Low|