CVE-2022-22120

In NocoDB, versions 0.9 to 0.83.8 are vulnerable to Observable Discrepancy in the password-reset feature. When requesting a password reset for a given email address, the application displays an error message when the email isn't registered within the system. This allows attackers to enumerate the registered users' email addresses.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
MendCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
VendorProductVersion
xgenecloudnocodb
0.9 ≤
𝑥
≤ 0.83.8
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nocodb/nocodb/commit/f46e89b0
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22120
https://github.com/nocodb/nocodb/commit/f46e89b0
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22120