CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49760 – OpenRefine has a path traversal in LoadLanguageCommand
https://notcve.org/view.php?id=CVE-2024-49760
24 Oct 2024 — OpenRefine is a free, open source tool for working with messy data. The load-language command expects a `lang` parameter from which it constructs the path of the localization file to load, of the form `translations-$LANG.json`. But when doing so in versions prior to 3.8.3, it does not check that the resulting path is in the expected directory, which means that this command could be exploited to read other JSON files on the file system. Version 3.8.3 addresses this issue. It was discovered that OpenRefine di... • https://github.com/OpenRefine/OpenRefine/commit/24d084052dc55426fe460f2a17524fd18d28b20c • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47882 – OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project
https://notcve.org/view.php?id=CVE-2024-47882
24 Oct 2024 — OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, which may be difficult. Howev... • https://github.com/OpenRefine/OpenRefine/blob/master/main/webapp/modules/core/error.vt#L52-L53 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-81: Improper Neutralization of Script in an Error Message Web Page •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47880 – OpenRefine has a reflected cross-site scripting vulnerability from POST request in ExportRowsCommand
https://notcve.org/view.php?id=CVE-2024-47880
24 Oct 2024 — OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and so potentially executed in the victim's... • https://github.com/OpenRefine/OpenRefine/commit/8060477fa53842ebabf43b63e039745932fa629d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-348: Use of Less Trusted Source •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47879 – OpenRefine's PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF)
https://notcve.org/view.php?id=CVE-2024-47879
24 Oct 2024 — OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site request forgery protection on the `preview-expression` command means that visiting a malicious website could cause an attacker-controlled expression to be executed. The expression can contain arbitrary Clojure or Python code. The attacker must know a valid project ID of a project that contains at least one row, and the attacker must convince the victim to open a malicious webpage. Version 3.8.3 fix... • https://github.com/OpenRefine/OpenRefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47878 – Reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)
https://notcve.org/view.php?id=CVE-2024-47878
24 Oct 2024 — OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `