What happened
NocoBase's in-app notification plugin exposed a public list endpoint whose timestamp filter parameter is directly inserted into a SQL query, permitting unauthenticated blind SQL injection.
Why it matters
NocoBase is marketed as an AI-powered application builder used for building business/enterprise apps; unauthenticated SQL injection with CVSS 10.0 can lead to full database compromise of any application built on the affected platform.
Attack vector
The GET /api/myInAppChannels:list endpoint inserts the filter[latestMsgReceiveTimestamp][$lt] value into a SQL query without sanitization, letting an unauthenticated attacker perform time-based blind SQL injection against the underlying database.
Affected systems
NocoBase @nocobase/plugin-notification-in-app-message, prior to 2.0.61
Mitigation
Upgrade to NocoBase 2.0.61 or later.