The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsA fix was pushed into the master branch but not yet published.
nocodb is a NocoDB
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the spreadsheet import URL check in UtilsService._axiosRequestMake in packages/nocodb/src/services/utils.service.ts. An attacker can make the server fetch an arbitrary URL by submitting a spreadsheet-import request whose target URL passes the extension allowlist, such as a non-spreadsheet path with a query string ending in .csv. Because the allowlist was applied to the full URL string instead of the URL pathname, the endpoint accepted crafted URLs that were not actually spreadsheet files. This lets an attacker coerce the NocoDB process into issuing HTTP requests on their behalf, including requests to internal services reachable from the host.
Notes
?.csv satisfied the check.