CVE-2024-47878 HIGH

CVE-2024-47878: Reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)

Vendor Openrefine

Product OpenRefine

Weakness CWE-79 · XSS

Published October 24, 2024

Last update October 28, 2024

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue.

Key dates

02Disclosure timeline

October 24, 2024 CVE published

October 28, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-47878 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2024-47878: Reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)

01Description

02Disclosure timeline

03References

04Related CVE