No analysis available yet.
No remediation available yet.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
EUVD |
EUVD-2024-3105 | OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue. |
Github GHSA |
GHSA-pw3x-c5vp-mfc3 | OpenRefine has a reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt) |
Ubuntu USN |
USN-7260-1 | OpenRefine vulnerabilities |
Mon, 28 Oct 2024 13:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Openrefine
Openrefine openrefine |
|
| CPEs | cpe:2.3:a:openrefine:openrefine:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Openrefine
Openrefine openrefine |
|
| Metrics |
ssvc
|
Thu, 24 Oct 2024 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue. | |
| Title | Reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt) | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2024-10-28T13:00:42.860Z
Reserved: 2024-10-04T16:00:09.630Z
Link: CVE-2024-47878
Updated: 2024-10-28T13:00:37.392Z
Status : Analyzed
Published: 2024-10-24T21:15:12.293
Modified: 2026-06-17T07:57:54.280
Link: CVE-2024-47878
No data.
OpenCVE Enrichment
No data.
-
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
EUVD
Github GHSA
Ubuntu USN