The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learningA fix was pushed into the master branch but not yet published.
nocodb is a NocoDB
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the axiosRequestMake spreadsheet-fetch URL handling in packages/nocodb/src/services/utils.service.ts. An attacker can make the server request internal HTTP endpoints, including cloud metadata services, by supplying a crafted spreadsheet import URL whose path contains a permitted extension and bypasses the hand-rolled IP blocklist. The vulnerable code accepted spreadsheet URLs when .xls, .xlsx, .xlsm, .ods, .ots, or .csv appeared anywhere in the full URL string, so a URL such as http://169.254.169.254/credentials/.xlsx passed the gate. Because the request was made from the NocoDB process, authenticated users with editor access could reach internal network resources and exfiltrate sensitive metadata or other internal responses.