Horizon Alert
Summary of the vulnerability and why it matters
This advisory concerns a critical vulnerability in the NocoBase application development platform. The flaw could allow authenticated users to execute arbitrary commands on the underlying server by sending specially crafted requests. Given NocoBase's role in building business applications, this type of vulnerability could have significant implications if exploited, potentially leading to unauthorized access or control of sensitive systems.
- A flaw lets users run commands on the server.
- It impacts business apps built with NocoBase.
- Confirm relevance and potential exposure.
Attack Path
How an attacker could exploit the issue
An authenticated user of NocoBase can exploit a flaw in the in-app messaging feature to execute arbitrary PostgreSQL commands. By sending a specially crafted GET request to the `/api/myInAppChannels:list` endpoint, an attacker can manipulate the `filter[latestMsgReceiveTimestamp][$lt]` parameter. This parameter is directly embedded into a database query without proper sanitization, allowing the injection of additional SQL statements, including commands to run operating system processes.
- Entry condition: Authenticated user.
- Trigger point: Malicious GET request to API.
- Resulting risk: Command execution on server.
Live Threat
Current exploitation, exposure, and threat context
When supported by the advisory, an authenticated user could potentially execute arbitrary commands on the server. This could impact system data and service behavior by allowing unauthorized command execution.
- Server data and system commands at risk.
- Arbitrary command execution possible.
- Potential for unauthorized access.
Operational Fix
Recommended remediation, mitigation, and detection steps
For NocoBase deployments, application owners or platform teams are likely responsible for addressing this vulnerability. The first practical step is to identify all NocoBase instances, confirm their reachability and business criticality, and then determine the accountable owner for remediation planning.
- App owners and platform teams should lead.
- Verify NocoBase instances and their exposure.
- Plan and coordinate remediation efforts.