Overview
In NocoDB, versions 0.9 to 0.83.8 are vulnerable to Observable Discrepancy in the password-reset feature. When requesting a password reset for a given email address, the application displays an error message when the email isn't registered within the system. This allows attackers to enumerate the registered users' email addresses.
Details
NocoDB password-reset feature displays an error message when an email doesn’t exist in the application. This allows attackers to enumerate the registered users' email addresses.
PoC Details
Sign up to the NocoDB application with your email address, then logout and go to the reset password page.
Enter the email address that you registered with and you should see the system replies with a success message which indicates that the email address exists, try again with some random email and you should get a message showing that the user does not exist.
Affected Environments
0.9 to 0.83.8
Prevention
Update to version 0.84.0 or later