HIGH🇵🇱 Wersja polska

CVE-2024-47878

CVSS 8.1v3.1pub. 2024-10-24upd. 2024-10-30

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
  • Openrefine

    APP
    Openrefine
    < 3.8.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2023-41887CRITICAL9.8ten sam produkt

OpenRefine is a powerful free, open source tool for working with messy data. Prior to version 3.7.5, a remote ...

CVE-2024-47879HIGH7.6ten sam produkt

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, lack of cross-site...

CVE-2024-47881HIGH8.1ten sam produkt

OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to ...

CVE-2024-47880HIGH8.1ten sam produkt

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` ...

CVE-2024-49760HIGH7.1ten sam produkt

OpenRefine is a free, open source tool for working with messy data. The load-language command expects a `lang`...