CVE-2024-47882 MEDIUM

CVE-2024-47882: OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project

Vendor Openrefine
Product OpenRefine
Weakness CWE-79 · XSS
Published October 24, 2024
Last update October 25, 2024
View on NVD All CVEs

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, which may be difficult. However, out-of-tree extensions may add their own calls to `respondWithErrorPage`. Version 3.8.3 has a fix for this issue.

Key dates

02Disclosure timeline

October 24, 2024 CVE published
October 25, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-37342 WordPress Add Shortcodes Actions And Filters plugin <= 2.0.9 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability CVE-2024-30182 WordPress HT Mega – Absolute Addons For Elementor plugin <= 2.4.3 - Cross Site Scripting (XSS) vulnerability CVE-2024-53988 Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0 CVE-2025-4576 CVE-2022-38189 There is a stored cross-site scripting (XSS) vulnerability in ArcGIS API for JavaScript.