CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47878 – Reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)
https://notcve.org/view.php?id=CVE-2024-47878
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue. • https://github.com/OpenRefine/OpenRefine/commit/10bf0874d67f1018a58b3732332d76b840192fea https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-pw3x-c5vp-mfc3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23833 – OpenRefine JDBC Attack Vulnerability
https://notcve.org/view.php?id=CVE-2024-23833
OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server. This issue has been addressed in version 3.7.8. Users are advised to upgrade. • https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-41887 – Remote Code exec in project import with mysql jdbc url attack
https://notcve.org/view.php?id=CVE-2023-41887
OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. Version 3.7.5 has a patch for this issue. OpenRefine es una potente herramienta gratuita de código abierto para trabajar con datos desordenados. Antes de la versión 3.7.5, una vulnerabilidad de ejecución remota de código permitía a cualquier usuario no autenticado ejecutar código en el servidor. • https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511 https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-41886 – OpenRefine vulnerable to arbitrary file read in project import with mysql jdbc url attack
https://notcve.org/view.php?id=CVE-2023-41886
OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, an arbitrary file read vulnerability allows any unauthenticated user to read a file on a server. Version 3.7.5 fixes this issue. OpenRefine es una potente herramienta gratuita de código abierto para trabajar con datos desordenados. Antes de la versión 3.7.5, una vulnerabilidad de lectura de archivos arbitraria permitía a cualquier usuario no autenticado leer un archivo en un servidor. • https://github.com/OpenRefine/OpenRefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-41401
https://notcve.org/view.php?id=CVE-2022-41401
OpenRefine <= v3.5.2 contains a Server-Side Request Forgery (SSRF) vulnerability, which permits unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure. OpenRefine contiene una vulnerabilidad de Server-Side Request Forgery (SSRF) que afecta a las versiones 3.5.2 e inferiores. Esto permite a usuarios no autorizados explotar el sistema, llevando potencialmente al acceso no autorizado a recursos internos y a la divulgación de archivos sensibles. • https://github.com/ixSly/CVE-2022-41401 https://github.com/OpenRefine/OpenRefine/blob/30d6edb7b6586623bda09456c797c35983fb80ff/main/tests/server/src/com/google/refine/importing/ImportingUtilitiesTests.java#L180 https://github.com/OpenRefine/OpenRefine/blob/cb55cdfdf6f9ca916839778dc847cce803688998/main/src/com/google/refine/importing/ImportingUtilities.java#L103 • CWE-918: Server-Side Request Forgery (SSRF) •