
We found results for “”
CVE-2022-22120
Date: January 10, 2022
Overview
In NocoDB, versions 0.9 to 0.83.8 are vulnerable to Observable Discrepancy in the password-reset feature. When requesting a password reset for a given email address, the application displays an error message when the email isn't registered within the system. This allows attackers to enumerate the registered users' email addresses.Details
NocoDB password-reset feature displays an error message when an email doesn’t exist in the application. This allows attackers to enumerate the registered users' email addresses.PoC Details
Sign up to the NocoDB application with your email address, then logout and go to the reset password page.Enter the email address that you registered with and you should see the system replies with a success message which indicates that the email address exists, try again with some random email and you should get a message showing that the user does not exist.
Affected Environments
0.9 to 0.83.8Prevention
Update to version 0.84.0 or laterLanguage: VUE
Good to know:


Upgrade Version
No fix version available
Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | None |
User Interaction (UI): | None |
Scope (S): | Unchanged |
Confidentiality (C): | Low |
Integrity (I): | None |
Availability (A): | None |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Low |
Authentication (AU): | None |
Confidentiality (C): | Partial |
Integrity (I): | None |
Availability (A): | None |
Additional information: |