NocoDB, Unvalidated Redirect Vulnerability, CVE-2023-43781 (Medium)

Listen to this Post

The vulnerability is an open redirect in NocoDB’s authentication flow. It stems from inadequate validation of the user-controlled `continueAfterSignIn` query parameter. A helper function, isFullUrl, uses a permissive regular expression (/^(https?:)?\/\//) to check if the parameter is a full URL. This regex matches any string starting with `http://`, `https://`, or //, treating protocol-relative URLs as valid.
When a user authenticates via a crafted login link containing this parameter, the application logic passes the validated (but not restricted) URL to the `navigateTo` function. Since there is no allowlist or origin check for the destination, the function performs an unconditional client-side navigation to the attacker-supplied external site immediately after successful login. This allows the redirection of an authenticated user to any arbitrary, potentially malicious, domain.
Platform: NocoDB
Version: Pre-v0.106.7
Vulnerability: Open Redirect
Severity: Medium
date: 2023

Prediction: 2023-10-18

What Undercode Say:

`curl -I “https://target//signin?continueAfterSignIn=//evil.com”`

`/^(https?:)?\/\//`

`if(isFullUrl(redirect)) navigateTo(redirect, { external: true });`

How Exploit:

`https://victim-nocodb.example//signin?continueAfterSignIn=https://phish.com`

Protection from this CVE

Validate redirect URLs against a strict allowlist of permitted domains or paths. Implement server-side validation of the `continueAfterSignIn` parameter. Use relative URLs or signed tokens for redirect targets.

Impact:

Credential theft phishing.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top