CVE-2024-49760 – OpenRefine has a path traversal in LoadLanguageCommand
https://notcve.org/view.php?id=CVE-2024-49760
OpenRefine is a free, open source tool for working with messy data. The load-language command expects a `lang` parameter from which it constructs the path of the localization file to load, of the form `translations-$LANG.json`. But when doing so in versions prior to 3.8.3, it does not check that the resulting path is in the expected directory, which means that this command could be exploited to read other JSON files on the file system. Version 3.8.3 addresses this issue. • https://github.com/OpenRefine/OpenRefine/commit/24d084052dc55426fe460f2a17524fd18d28b20c https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qfwq-6jh6-8xx4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-47882 – OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project
https://notcve.org/view.php?id=CVE-2024-47882
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, which may be difficult. However, out-of-tree extensions may add their own calls to `respondWithErrorPage`. • https://github.com/OpenRefine/OpenRefine/blob/master/main/webapp/modules/core/error.vt#L52-L53 https://github.com/OpenRefine/OpenRefine/commit/85594e75e7b36025f7b6a67dcd3ec253c5dff8c2 https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-j8hp-f2mj-586g • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-81: Improper Neutralization of Script in an Error Message Web Page •
CVE-2024-47881 – OpenRefine's SQLite integration allows filesystem access, remote code execution (RCE)
https://notcve.org/view.php?id=CVE-2024-47881
OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue. • https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056 https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2024-47880 – OpenRefine has a reflected cross-site scripting vulnerability from POST request in ExportRowsCommand
https://notcve.org/view.php?id=CVE-2024-47880
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and so potentially executed in the victim's browser as if it was part of OpenRefine. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present. • https://github.com/OpenRefine/OpenRefine/commit/8060477fa53842ebabf43b63e039745932fa629d https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-79jv-5226-783f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-348: Use of Less Trusted Source •
CVE-2024-47879 – OpenRefine's PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF)
https://notcve.org/view.php?id=CVE-2024-47879
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Version 3.8.3 fixes the issue. • https://github.com/OpenRefine/OpenRefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126 https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-3jm4-c6qf-jrh3 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) •