nocodb@0.202.7 vulnerabilities

NocoDB Backend

Known vulnerabilities in the nocodb package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Vulnerability	Vulnerable Version
M Unrestricted Upload of File with Dangerous Type nocodb is a NocoDB Affected versions of this package are vulnerable to Unrestricted Upload of File with Dangerous Type through the `attachment` field upload process. An attacker can execute arbitrary JavaScript code in the context of the user accessing the uploaded file by uploading a malicious HTML file containing JavaScript code. How to fix Unrestricted Upload of File with Dangerous Type? Upgrade `nocodb` to version 0.202.10 or higher.	>=0.202.6 <0.202.10
H Cross-site Scripting (XSS) nocodb is a NocoDB Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `replaceUrlsWithLink` function. An attacker can execute arbitrary JavaScript code by embedding malicious content within the formula fields that are improperly sanitized before being displayed. How to fix Cross-site Scripting (XSS)? Upgrade `nocodb` to version 0.202.9 or higher.	<0.202.9
M SQL Injection nocodb is a NocoDB Affected versions of this package are vulnerable to SQL Injection through the `columnList` method. An attacker with create access can execute arbitrary SQL commands and potentially access or modify sensitive data by including a special character (') in the table name to manipulate the SQL query. How to fix SQL Injection? Upgrade `nocodb` to version 0.202.10 or higher.	<0.202.10