Lucene search
Hisokix094639D8E-8301-4432-AB80-E76E1346E631HistoryJun 16, 2022 - 7:50 a.m.
The NocoDB application allows large characters to insert in the input field "New Project" on the create field which can allow attackers to cause a Denial of Service (DoS) via a crafted HTTP request
2022-06-1607:50:49
hisokix0
www.huntr.dev
20
nocodb
dos attack
http request
input validation
excessive characters
security vulnerability
patch recommendation
EPSS
0.001
Percentile
31.9%
Proof of Concept
Go to http://localhost:8080/dashboard/#/projects
Click on New project and create
Fill the “Enter project name” field with huge characters, (more than 1 lakh)
Copy the below payload and put it in the input fields and click on continue.
You will see the application accepts large characters and if we will increase the characters then it can lead to Dos.
Download the payload from here:
https://drive.google.com/file/d/13IK67Sx93nvnb_3gLUBDLgoEC7XTQiso/view?usp=sharing
Video & Image POC:
https://drive.google.com/drive/folders/1N6h02blexPhQyj4MdfyPwNTOmKEXIfMu?usp=sharing
Patch recommendation:
The Project name input should be limited to 50 characters or a max of 100 characters.
Related
prion
prion
Design/Logic Flaw
2022-10-07 11:15:00
cvelist
cvelist
cnvd
cnvd
NocoDB Resource Management Error Vulnerability
2022-10-10 00:00:00
veracode
veracode
Denial Of Service (DoS)
2022-10-12 16:15:51
osv
osv
NocoDB vulnerable to Denial of Service
2022-10-07 18:16:01
CVE-2022-3423
2022-10-07 11:15:10
github
github
NocoDB vulnerable to Denial of Service
2022-10-07 18:16:01
nvd
nvd
CVE-2022-3423
2022-10-07 11:15:10
cve
cve
CVE-2022-3423
2022-10-07 11:15:10